0% found this document useful (0 votes)

15 views

Dynamic Multipoint VPN Configuration Guide

Uploaded by

specific4x

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

15 views

Dynamic Multipoint VPN Configuration Guide

Uploaded by

specific4x

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 218

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release

15M&T
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com
go trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any
other company. (1721R)
© 2020 Cisco Systems, Inc. All rights reserved.
CONTENTS

CHAPTER 1 Dynamic Multipoint VPN 1

Finding Feature Information 1

Prerequisites for Dynamic Multipoint VPN (DMVPN) 1
Restrictions for Dynamic Multipoint VPN (DMVPN) 2
DMVPN Support on the Cisco 6500 and Cisco 7600 2

Information About Dynamic Multipoint VPN (DMVPN) 4

Benefits of Dynamic Multipoint VPN (DMVPN) 4
Feature Design of Dynamic Multipoint VPN (DMVPN) 5
IPsec Profiles 6
VRF Integrated DMVPN 6
DMVPN--Enabling Traffic Segmentation Within DMVPN 7
NAT-Transparency Aware DMVPN 9
Call Admission Control with DMVPN 10
NHRP Rate-Limiting Mechanism 10
How to Configure Dynamic Multipoint VPN (DMVPN) 11
Configuring an IPsec Profile 11
What to Do Next 13
Configuring the Hub for DMVPN 13
Configuring the Spoke for DMVPN 16
Configuring the Forwarding of Clear-Text Data IP Packets into a VRF 19
Configuring the Forwarding of Encrypted Tunnel Packets into a VRF 20
Configuring DMVPN--Traffic Segmentation Within DMVPN 21
Prerequisites 21
Enabling MPLS on the VPN Tunnel 21
Configuring Multiprotocol BGP on the Hub Router 22
Configuring Multiprotocol BGP on the Spoke Routers 24

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

iii
Contents

Troubleshooting Dynamic Multipoint VPN (DMVPN) 26

What to Do Next 30
Configuration Examples for Dynamic Multipoint VPN (DMVPN) Feature 30
Example Hub Configuration for DMVPN 30
Example Spoke Configuration for DMVPN 31
Example VRF Aware DMVPN 32
Example 2547oDMVPN with Traffic Segmentation (with BGP only) 34
Example 2547oDMVPN with Traffic Segmentation (Enterprise Branch) 38
Additional References 46
Feature Information for Dynamic Multipoint VPN (DMVPN) 47
Glossary 48

CHAPTER 2 IPv6 over DMVPN 51

Finding Feature Information 51

Prerequisites for IPv6 over DMVPN 52
Information About IPv6 over DMVPN 52
DMVPN for IPv6 Overview 52
NHRP Routing 52
IPv6 Routing 53
IPv6 Addressing and Restrictions 54
How to Configure IPv6 over DMVPN 54
Configuring an IPsec Profile in DMVPN for IPv6 54
Configuring the Hub for IPv6 over DMVPN 56
Configuring the NHRP Redirect and Shortcut Features on the Hub 59
Configuring the Spoke for IPv6 over DMVPN 61
Verifying DMVPN for IPv6 Configuration 64
Monitoring and Maintaining DMVPN for IPv6 Configuration and Operation 66
Configuration Examples for IPv6 over DMVPN 67
Example: Configuring an IPsec Profile 67
Example: Configuring the Hub for DMVPN 67
Example: Configuring the Spoke for DMVPN 69
Example: Configuring the NHRP Redirect and Shortcut Features on the Hub 70
Example: Configuring NHRP on the Hub and Spoke 70
Additional References 71

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

iv
Contents

Feature Information for IPv6 over DMVPN 72

CHAPTER 3 DMVPN Configuration Using FQDN 75

Finding Feature Information 75

Prerequisites for DMVPN Configuration Using FQDN 76
Restrictions for DMVPN Configuration Using FQDN 76
Information About DMVPN Configuration Using FQDN 76
DNS Functionality 76
DNS Server Deployment Scenarios 76
How to Configure DMVPN Configuration Using FQDN 77
Configuring a DNS Server on a Spoke 77
Configuring a DNS Server 77
Configuring an FQDN with a Protocol Address 78
Configuring a FQDN Without an NHS Protocol Address 79
Verifying DMVPN FQDN Configuration 81
Configuration Examples for DMVPN Configuration Using FQDN 82
Example Configuring a Local DNS Server 82
Example Configuring an External DNS Server 82
Example Configuring NHS with a Protocol Address and an NBMA Address 83
Example Configuring NHS with a Protocol Address and an FQDN 83
Example Configuring NHS Without a Protocol Address and with an NBMA Address 83
Example Configuring NHS Without a Protocol Address and with an FQDN 83
Additional References 84
Feature Information for DMVPN Configuration Using FQDN 85

CHAPTER 4 Per-Tunnel QoS for DMVPN 87

Finding Feature Information 87
Prerequisites for Per-Tunnel QoS for DMVPN 87
Restrictions for Per-Tunnel QoS for DMVPN 88
Information About Per-Tunnel QoS for DMVPN 88
Per-Tunnel QoS for DMVPN Overview 88
Benefits of Per-Tunnel QoS for DMVPN 88
NHRP QoS Provisioning for DMVPN 89
Per-Tunnel QoS for Spoke to Spoke Connections 89

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

v
Contents

How to Configure Per-Tunnel QoS for DMVPN 90

Configuring an NHRP Group on a Spoke 90
Configuring an NHRP Group Attribute on a Spoke 90
Mapping an NHRP Group to a QoS Policy on the Hub 91
Enabling DMVPN Per-tunnel QoS Sourced from Port Channel 92
Verifying Per-Tunnel QoS for DMVPN 93
Configuration Examples for Per-Tunnel QoS for DMVPN 94
Example: Configuring an NHRP Group on a Spoke 94
Example: Configuring an NHRP Group Attribute on a Spoke 95
Example: Mapping an NHRP Group to a QoS Policy on the Hub 96
Example: Enabling DMVPN Per-tunnel QoS Sourced from Port Channel 97

Example: Verifying Per-Tunnel QoS for DMVPN 98

Additional References for Per-Tunnel QoS for DMVPN 102
Feature Information for Per-Tunnel QoS for DMVPN 102

CHAPTER 5 DMVPN Tunnel Health Monitoring and Recovery 105

Finding Feature Information 105

Prerequisites for DMVPN Tunnel Health Monitoring and Recovery 105
Restrictions for DMVPN Tunnel Health Monitoring and Recovery 106
Information About DMVPN Tunnel Health Monitoring and Recovery 106
NHRP Extension MIB 106
DMVPN Syslog Messages 107
Interface State Control 107
Interface State Control Configuration Workflow 108
How to Configure DMVPN Tunnel Health Monitoring and Recovery 109
Configuring Interfaces to Generate SNMP NHRP Notifications 109
Troubleshooting Tips 110
Configuring Interface State Control on an Interface 110
Configuration Examples for DMVPN Tunnel Health Monitoring and Recovery 111
Example: Configuring SNMP NHRP Notifications 111
Example: Configuring Interface State Control 111
Additional References for DMVPN Tunnel Health Monitoring and Recovery 112
Feature Information for DMVPN Tunnel Health Monitoring and Recovery 113

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

vi
Contents

CHAPTER 6 DMVPN-Tunnel Health Monitoring and Recovery Backup NHS 115

Finding Feature Information 115
Information About DMVPN-Tunnel Health Monitoring and Recovery Backup NHS 116
NHS States 116
NHS Priorities 116
NHS Clusterless Model 116
NHS Clusters 117
NHS Fallback Time 118
NHS Recovery Process 119
Alternative Spoke to Hub NHS Tunnel 119
Returning to Preferred NHS Tunnel upon Recovery 120
How to Configure DMVPN-Tunnel Health Monitoring and Recovery Backup NHS 121
Configuring the Maximum Number of Connections for an NHS Cluster 121
Configuring NHS Fallback Time 122
Configuring NHS Priority and Group Values 123
Verifying the DMVPN-Tunnel Health Monitoring and Recovery Backup NHS Feature 124
Configuration Examples for DMVPN-Tunnel Health Monitoring and Recovery Backup NHS 125
Example Configuring Maximum Connections for an NHS Cluster 125
Example Configuring NHS Fallback Time 126
Example Configuring NHS Priority and Group Values 126
Additional References 126
Feature Information for DMVPN-Tunnel Health Monitoring and Recovery Backup NHS 127

CHAPTER 7 DMVPN Event Tracing 129

Finding Feature Information 129

Information About DMVPN Event Tracing 129
Benefits of DMVPN Event Tracing 129
DMVPN Event Tracing Options 130
How to Configure DMVPN Event Tracing 130
Configuring DMVPN Event Tracing in Privileged EXEC Mode 130
Configuring DMVPN Event Tracing in Global Configuration Mode 131
Configuration Examples for DMVPN Event Tracing 132
Example Configuring DMVPN Event Tracing in Privileged EXEC Mode 132

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

vii
Contents

Example Configuring DMVPN Event Tracing in Global Configuration Mode 132

Additional References 132
Feature Information for DMVPN Event Tracing 133

CHAPTER 8 NHRP MIB 135

Finding Feature Information 135

Prerequisites for NHRP MIB 135
Restrictions for NHRP MIB 136
Information About NHRP MIB 136
CISCO-NHRP-MIB 136
RFC-2677 136
How to Use NHRP MIB 136
Verifying NHRP MIB Status 137
Configuration Examples for NHRP MIB 137
Example Verifying NHRP MIB Status 137
Example VRF-Aware NHRP MIB Configuration 137
Additional References 139
Feature Information for NHRP MIB 140

CHAPTER 9 DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device 141

Finding Feature Information 141

Restrictions for DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device 141
Information About DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device 142
DMVPN Spoke-to-spoke Tunneling Limited to Spokes not Behind a NAT Device 142
NHRP Registration 143
NHRP Resolution 144
NHRP Spoke-to-Spoke Tunnel with a NAT Device 144
NHRP Registration Process 145
NHRP Resolution and Purge Process 145
Additional References 146
Feature Information for DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device 147

CHAPTER 10 DHCP Tunnels Support 149

Finding Feature Information 149

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

viii
Contents

Restrictions for DHCP Tunnels Support 149

Information About DHCP Tunnels Support 150
DHCP Overview 150
DHCP Behavior on a Tunnel Network 150
DMVPN Hub as a DHCP Relay Agent 151
DMVPN Topologies 151
Dual-Hub Single-DMVPN Topology 151
Dual-Hub Dual-DMVPN Topology 151
Hierarchical DMVPN Topology 151
How to Configure DHCP Tunnels Support 151
Configuring the DHCP Relay Agent to Unicast DHCP Replies 151
Configuring a DMVPN Spoke to Clear the Broadcast Flag 152
Configuration Examples for DHCP Tunnels Support 153
Example Configuring a DHCP Relay Agent to Unicast DHCP Replies 153
Example Configuring a DMVPN Spoke to Clear the Broadcast Flag and Set the IP Address to DHCP
154

Additional References 154

Feature Information for DHCP Tunnels Support 155

CHAPTER 11 Sharing IPsec with Tunnel Protection 157

Finding Feature Information 157

Restrictions for Sharing IPsec with Tunnel Protection 158
Information About Sharing IPsec with Tunnel Protection 159
Single IPsec SA 159
How to Share an IPsec Session Between Multiple Tunnels 160
Sharing an IPsec SADB Between Multiple Tunnel Interfaces in a DMVPN 160
Configuration Examples for Sharing IPsec with Tunnel Protection 161
Example: Sharing IPsec Sessions Between Multiple Tunnels 161
Hub 1 Configuration 162
Hub 2 Configuration 163
Spoke 1 Configuration 164
Spoke 2 Configuration 165
Additional References for Sharing IPsec with Tunnel Protection 171
Feature Information for Sharing IPsec with Tunnel Protection 172

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

ix
Contents

Glossary 173

CHAPTER 12 DMVPN NHRP Event Publisher 175

Finding Feature Information 175

Prerequisites for DMVPN NHRP Event Publisher 175
Restrictions for DMVPN NHRP Event Publisher 176
Information About DMVPN NHRP Event Publisher 176
Dynamic Spoke-to-Spoke Tunnels 176
DMVPN NHRP Event Publisher 176
Embedded Event Manager 177
NHRP Event Publishing Flow 177
How to Configure DMVPN NHRP Event Publisher 178
Configuration Examples for DMVPN NHRP Event Publisher 180
Example Configuring DMVPN NHRP Event Publisher 180
Additional References 180
Feature Information for DMVPN NHRP Event Publisher 181

CHAPTER 13 Configuring TrustSec DMVPN Inline Tagging Support 183

Finding Feature Information 183

Prerequisites for Configuring TrustSec DMVPN Inline Tagging Support 183
Restrictions for Configuring TrustSec DMVPN Inline Tagging Support 184
Information About Configuring TrustSec DMVPN Inline Tagging Support 184
Cisco TrustSec 184
SGT and IPsec 185
SGT on the IKEv2 Initiator and Responder 186
Handling Fragmentation 186
How to Configure TrustSec DMVPN Inline Tagging Support 187
Enabling IPsec Inline Tagging 187
Monitoring and Verifying TrustSec DMVPN Inline Tagging Support 187
Enabling IPsec Inline Tagging on IKEv2 Networks 189
Configuration Examples for TrustSec DMVPN Inline Tagging Support 190
Example: Enabling IPsec Inline Tagging on IKEv2 Networks 190
Additional References for TrustSec DMVPN Inline Tagging Support 194
Feature Information for TrustSec DMVPN Inline Tagging Support 195

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

x
Contents

CHAPTER 14 Spoke-to-Spoke NHRP Summary Maps 197

Finding Feature Information 197

Information About Spoke-to-Spoke NHRP Summary Maps 197
Spoke-to-Spoke NHRP Summary Maps 197
NHRP Summary Map Support for IPv6 Overlay 199
How to Configure Spoke-to-Spoke NHRP Summary Maps 199
Configuring Spoke-to-Spoke NHRP Summary Maps on Spoke 199
Verifying Spoke-to Spoke NHRP Summary Maps 201
Troubleshooting Spoke-to-Spoke NHRP Summary Maps 202
Configuration Examples for Spoke-to-Spoke NHRP Summary Maps 203
Example: Spoke-to-Spoke NHRP Summary Maps 203
Additional References for Spoke-to-Spoke NHRP Summary Maps 205
Feature Information for Spoke-to-Spoke NHRP Summary Maps 205

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

xi
Contents

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

xii
CHAPTER 1
Dynamic Multipoint VPN
The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IP Security
(IPsec) Virtual Private Networks (VPNs) by combining generic routing encapsulation (GRE) tunnels, IPsec
encryption, and Next Hop Resolution Protocol (NHRP).

Note Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing.
For more information about the latest Cisco cryptographic recommendations, see the Next Generation
Encryption (NGE) white paper.

• Finding Feature Information, on page 1

• Prerequisites for Dynamic Multipoint VPN (DMVPN), on page 1
• Restrictions for Dynamic Multipoint VPN (DMVPN), on page 2
• Information About Dynamic Multipoint VPN (DMVPN), on page 4
• How to Configure Dynamic Multipoint VPN (DMVPN), on page 11
• Configuration Examples for Dynamic Multipoint VPN (DMVPN) Feature, on page 30
• Additional References, on page 46
• Feature Information for Dynamic Multipoint VPN (DMVPN), on page 47
• Glossary, on page 48

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Dynamic Multipoint VPN (DMVPN)

• Before a multipoint GRE (mGRE) and IPsec tunnel can be established, you must define an Internet Key
Exchange (IKE) policy by using the crypto isakmp policy command.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

1
Dynamic Multipoint VPN
Restrictions for Dynamic Multipoint VPN (DMVPN)

• For the NAT-Transparency Aware enhancement to work, you must use IPsec transport mode on the
transform set. Also, even though NAT-Transparency can support two peers (IKE and IPsec) being
translated to the same IP address (using the User Datagram Protocol [UDP] ports to differentiate them
[that is, Peer Address Translation (PAT)]), this functionality is not supported for DMVPN. All DMVPN
spokes must have a unique IP address after they have been NAT translated. They can have the same IP
address before they are NAT translated.
• To enable 2547oDMPVN--Traffic Segmentation Within DMVPN you must configure multiprotocol
label switching (MPLS) by using the mpls ip command.

Restrictions for Dynamic Multipoint VPN (DMVPN)

• If you use the Dynamic Creation for Spoke-to-Spoke Tunnels benefit of this feature, you must use IKE
certificates or wildcard preshared keys for Internet Security Association Key Management Protocol
(ISAKMP) authentication.

Note It is highly recommended that you do not use wildcard preshared keys because the attacker will have access
to the VPN if one spoke router is compromised.

• GRE tunnel keepalives (that is, the keepalive command under a GRE interface) are not supported on
point-to-point or multipoint GRE tunnels in a DMVPN Network.
• For best DMVPN functionality, it is recommended that you run the latest Cisco IOS software Release
12.4 mainline,12.4T, or 12.2(18)SXF.
• If one spoke is behind one NAT device and another different spoke is behind another NAT device, and
Peer Address Translation (PAT) is the type of NAT used on both NAT devices, then a session initiated
between the two spokes cannot be established.

One example of a PAT configuration on a NAT interface is:

ip nat inside source list nat_acl interface FastEthernet0/1 overload

DMVPN Support on the Cisco 6500 and Cisco 7600

Blade-to-Blade Switchover on the Cisco 6500 and Cisco 7600
• DMVPN does not support blade-to-blade switchover on the Cisco 6500 and Cisco 7600.

Cisco 6500 or Cisco 7600 As a DMVPN Hub

• A Cisco 6500 or Cisco 7600 that is functioning as a DMVPN hub cannot be located behind a NAT router.
• If a Cisco 6500 or Cisco 7600 is functioning as a DMVPN hub, the spoke behind NAT must be a Cisco
6500 or Cisco 7600, respectively, or the router must be upgraded to Cisco IOS software Release
12.3(11)T02 or a later release.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

2
Dynamic Multipoint VPN
DMVPN Support on the Cisco 6500 and Cisco 7600

Cisco 6500 or Cisco 7600 As a DMVPN Spoke

• If a Cisco 6500 or Cisco 7600 is functioning as a spoke, the hub cannot be behind NAT.
• If a Cisco 6500 or Cisco 7600 is functioning as a DMVPN spoke behind NAT, the hub must be a Cisco
6500 or Cisco 7600, respectively, or the router must be upgraded to Cisco IOS Release 12.3(11)T02 or
a later release.

DMVPN Hub or Spoke Supervisor Engine

• Only a Supervisor Engine 720 can be used as a DMVPN hub or spoke. A Supervisor Engine 2 cannot
be used.

Encrypted Multicast with GRE

• Encrypted Multicast with GRE is not supported on the Cisco 6500 nor on the Cisco 7600.

mGRE Interfaces
• If there are two mGRE interfaces on the same DMVPN node and they both do not have a tunnel key, the
two mGRE interfaces must each have a unique tunnel source address (or interface) configured.
• On the Cisco 6500 and Cisco 7600, each GRE interface (multipoint or point-to-point) must have a unique
tunnel source address (or interface).
• The following commands are not supported under mGRE with DMVPN: ip tcp adjust-mss, qos
pre-classify tunnel vrf, tunnel path-mtu-discovery, and tunnel vrf.

Quality of Service (QoS)

• You cannot use QoS for DMVPN packets on a Cisco 6500 or Cisco 7600.

Tunnel Key
• The use of a tunnel key on a GRE (multipoint or point-to-point) interface is not supported in the hardware
switching ASICs on the Cisco 6500 and Cisco 7600 platforms. If a tunnel key is configured, throughput
performance is greatly reduced.
• In Cisco IOS Release 12.3(11)T3 and Release 12.3(14)T, the requirement that a mGRE interface must
have a tunnel key was removed. Therefore, in a DMVPN network that includes a Cisco 6500 or Cisco
7600 as a DMVPN node, you should remove the tunnel key from all DMVPN nodes in the DMVPN
network, thus preserving the throughput performance on the Cisco 6500 and Cisco 7600 platforms.
• If the tunnel key is not configured on any DMVPN node within a DMVPN network, it must not be
configured on all DMVPN nodes with the DMVPN network.

VRF-Aware DMVPN Scenarios

• The mls mpls tunnel-recircommand must be configured on the provider equipment (PE) DMVPN hub
if customer equipment (CE) DMVPN spokes need to “talk” to other CEs across the MPLS cloud.
• The mGRE interface should be configured with a large enough IP maximum transmission unit (1400
packets to avoid having the route processor doing fragmentation.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

3
Dynamic Multipoint VPN
Information About Dynamic Multipoint VPN (DMVPN)

• Enhanced Interior Gateway Routing Protocol (EIGRP) should be avoided.

Information About Dynamic Multipoint VPN (DMVPN)

Benefits of Dynamic Multipoint VPN (DMVPN)
Hub Router Configuration Reduction
• Currently, for each spoke router, there is a separate block of configuration lines on the hub router that
define the crypto map characteristics, the crypto access list, and the GRE tunnel interface. This feature
allows users to configure a single mGRE tunnel interface, a single IPsec profile, and no crypto access
lists on the hub router to handle all spoke routers. Thus, the size of the configuration on the hub router
remains constant even if spoke routers are added to the network.
• DMVPN architecture can group many spokes into a single multipoint GRE interface, removing the need
for a distinct physical or logical interface for each spoke in a native IPsec installation.

Automatic IPsec Encryption Initiation

• GRE has the peer source and destination address configured or resolved with NHRP. Thus, this feature
allows IPsec to be immediately triggered for the point-to-point GRE tunneling or when the GRE peer
address is resolved via NHRP for the multipoint GRE tunnel.

Support for Dynamically Addressed Spoke Routers

• When using point-to-point GRE and IPsec hub-and-spoke VPN networks, the physical interface IP
address of the spoke routers must be known when configuring the hub router because IP address must
be configured as the GRE tunnel destination address. This feature allows spoke routers to have dynamic
physical interface IP addresses (common for cable and DSL connections). When the spoke router comes
online, it will send registration packets to the hub router: within these registration packets, is the current
physical interface IP address of this spoke.

Dynamic Creation for Spoke-to-Spoke Tunnels

• This feature eliminates the need for spoke-to-spoke configuration for direct tunnels. When a spoke router
wants to transmit a packet to another spoke router, it can now use NHRP to dynamically determine the
required destination address of the target spoke router. (The hub router acts as the NHRP server, handling
the request for the source spoke router.) The two spoke routers dynamically create an IPsec tunnel between
them so data can be directly transferred.

VRF Integrated DMVPN

• DMVPNs can be used to extend the Multiprotocol Label Switching (MPLS) networks that are deployed
by service providers to take advantage of the ease of configuration of hub and spokes, to provide support
for dynamically addressed customer premises equipment (CPEs), and to provide zero-touch provisioning
for adding new spokes into a DMVPN.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

4
Dynamic Multipoint VPN
Feature Design of Dynamic Multipoint VPN (DMVPN)

Feature Design of Dynamic Multipoint VPN (DMVPN)

The Dynamic Multipoint VPN (DMVPN) feature combines GRE tunnels, IPsec encryption, and NHRP routing
to provide users an ease of configuration via crypto profiles--which override the requirement for defining
static crypto maps--and dynamic discovery of tunnel endpoints.
This feature relies on the following two Cisco enhanced standard technologies:
• NHRP--A client and server protocol where the hub is the server and the spokes are the clients. The hub
maintains an NHRP database of the public interface addresses of the each spoke. Each spoke registers
its real address when it boots and queries the NHRP database for real addresses of the destination spokes
to build direct tunnels.
• mGRE Tunnel Interface --Allows a single GRE interface to support multiple IPsec tunnels and simplifies
the size and complexity of the configuration.

The topology shown in the diagram below and the corresponding bullets explain how this feature works.
Figure 1: Sample mGRE and IPsec Integration Topology

• Each spoke has a permanent IPsec tunnel to the hub, not to the other spokes within the network. Each
spoke registers as clients of the NHRP server.
• When a spoke needs to send a packet to a destination (private) subnet on another spoke, it queries the
NHRP server for the real (outside) address of the destination (target) spoke.
• After the originating spoke “learns” the peer address of the target spoke, it can initiate a dynamic IPsec
tunnel to the target spoke.
• The spoke-to-spoke tunnel is built over the multipoint GRE interface.
• The spoke-to-spoke links are established on demand whenever there is traffic between the spokes.
Thereafter, packets can bypass the hub and use the spoke-to-spoke tunnel.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

5
Dynamic Multipoint VPN
IPsec Profiles

Note After a preconfigured amount of inactivity on the spoke-to-spoke tunnels, the router will tear down those
tunnels to save resources (IPsec security associations [SAs]).

IPsec Profiles
IPsec profiles abstract IPsec policy information into a single configuration entity, which can be referenced
by name from other parts of the configuration. Therefore, users can configure functionality such as GRE
tunnel protection with a single line of configuration. By referencing an IPsec profile, the user does not have
to configure an entire crypto map configuration. An IPsec profile contains only IPsec information; that is, it
does not contain any access list information or peering information.

VRF Integrated DMVPN

VPN Routing and Forwarding (VRF) Integrated DMVPN enables users to map DMVPN multipoint interfaces
into MPLS VPNs. This mapping allows Internet service providers (ISPs) to extend their existing MPLS VPN
services by mapping off-network sites (typically a branch office) to their respective MPLS VPNs. Customer
equipment (CE) routers are terminated on the DMVPN PE router, and traffic is placed in the VRF instance
of an MPLS VPN.
DMVPN can interact with MPLS VPNs in two ways:
1. The ip vrf forwarding command is used to inject the data IP packets (those packets inside the mGRE+IPsec
tunnel) into the MPLS VPN. The ip vrf forwarding command is supported for DMVPN in Cisco IOS
Release 12.3(6) and Release 12.3(7)T.
2. The tunnel vrf command is used to transport (route) the mGRE+IPsec tunnel packet itself within an
MPLS VPN. The tunnel vrf command is supported in Cisco IOS Release 12.3(11)T but not in Cisco IOS
Release 12.2(18)SXE.

Note Clear-text data IP packets are forwarded in a VRF using the ip vrf forwarding command, and encrypted
tunnel IP packets are forwarded in a VRF using the tunnel vrf command.

The ip vrf forwarding and tunnel vrf commands may be used at the same time. If they are used at the same
time, the VRF name of each command may be the same or different.
For information about configuring the forwarding of clear-text data IP packets into a VRF, see the section
“Configuring the Forwarding of Clear-Text Data IP Packets into a VRF.” For information about configuring
the forwarding of encrypted tunnel packets into a VRF, see the section “Configuring the Forwarding of
Encrypted Tunnel Packets into a VRF.”
For more information about configuring VRF, see reference in the “Related Documents” section.
The diagram below illustrates a typical VRF Integrated DMVPN scenario.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

6
Dynamic Multipoint VPN
DMVPN--Enabling Traffic Segmentation Within DMVPN

Figure 2: VRF Integrated DMVPN

DMVPN--Enabling Traffic Segmentation Within DMVPN

Cisco IOS Release 12.4(11)T provides an enhancement that allows you to segment VPN traffic within a
DMVPN tunnel. VRF instances are labeled, using MPLS, to indicate their source and destination.
The diagram below and the corresponding bullets explain how traffic segmentation within DMVPN works.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

7
Dynamic Multipoint VPN
DMVPN--Enabling Traffic Segmentation Within DMVPN

Figure 3: Traffic Segmentation with DMVPN

• The hub shown in the diagram is a WAN-PE and a route reflector, and the spokes (PE routers) are clients.
• There are three VRFs, designated “red,” “green,” and “blue.”
• Each spoke has both a neighbor relationship with the hub (multiprotocol Border Gateway Protocol
[MP-iBGP] peering) and a GRE tunnel to the hub.
• Each spoke advertises its routes and VPNv4 prefixes to the hub.
• The hub sets its own IP address as the next-hop route for all the VPNv4 addresses it learns from the
spokes and assigns a local MPLS label for each VPN when it advertises routes back to the spokes. As a
result, traffic from Spoke A to Spoke B is routed via the hub.

An example illustrates the process:

1. Spoke A advertises a VPNv4 route to the hub, and applies the label X to the VPN.
2. The hub changes the label to Y when the hub advertises the route to Spoke B.
3. When Spoke B has traffic to send to Spoke A, it applies the Y label, and the traffic goes to the hub.
4. The hub swaps the VPN label, by removing the Y label and applying an X label, and sends the traffic to
Spoke A.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

8
Dynamic Multipoint VPN
NAT-Transparency Aware DMVPN

NAT-Transparency Aware DMVPN

DMVPN spokes are often situated behind a NAT router (which is often controlled by the ISP for the spoke
site) with the outside interface address of the spoke router being dynamically assigned by the ISP using a
private IP address (per Internet Engineering Task Force [IETF] RFC 1918).
Prior to Cisco IOS Release 12.3(6) and 12.3(7)T, these spoke routers had to use IPsec tunnel mode to participate
in a DMVPN network. In addition, their assigned outside interface private IP address had to be unique across
the DMVPN network. Even though ISAKMP and IPsec would negotiate NAT-T and “learn” the correct NAT
public address for the private IP address of this spoke, NHRP could only “see” and use the private IP address
of the spoke for its mapping entries. Effective with the NAT-Transparency Aware DMVPN enhancement,
NHRP can now learn and use the NAT public address for its mappings as long as IPsec transport mode is
used (which is the recommend IPsec mode for DMVPN networks). The restriction that the private interface
IP address of the spoke must be unique across the DMVPN network has been removed. It is recommended
that all DMVPN routers be upgraded to the new code before you try to use the new functionality even though
spoke routers that are not behind NAT do not need to be upgraded. In addition, you cannot convert upgraded
spoke routers that are behind NAT to the new configuration (IPsec transport mode) until the hub routers have
been upgraded.
Also added in Cisco IOS Releases 12.3(9a) and 12.3(11)T is the capability to have the hub DMVPN router
behind static NAT. This was a change in the ISAKMP NAT-T support. For this functionality to be used, all
the DMVPN spoke routers and hub routers must be upgraded, and IPsec must use transport mode.
For these NAT-Transparency Aware enhancements to work, you must use IPsec transport mode on the
transform set. Also, even though NAT-Transparency (IKE and IPsec) can support two peers (IKE and IPsec)
being translated to the same IP address (using the UDP ports to differentiate them), this functionality is not
supported for DMVPN. All DMVPN spokes must have a unique IP address after they have been NAT translated.
They can have the same IP address before they are NAT translated.
The diagram below illustrates a NAT-Transparency Aware DMVPN scenario.

Note In Cisco IOS Release 12.4(6)T or earlier, DMVPN spokes behind NAT will not participate in dynamic direct
spoke-to-spoke tunnels. Any traffic to or from a spoke that is behind NAT will be forwarded using the DMVPN
hub routers. DMVPN spokes that are not behind NAT in the same DMVPN network may create dynamic
direct spoke-to-spoke tunnels between each other. In Cisco IOS Release 12.4(6)T or later releases, DMVPN
spokes behind NAT will participate in dynamic direct spoke-to-spoke tunnels. The spokes must be behind
NAT boxes that are preforming NAT, not PAT. The NAT box must translate the spoke to the same outside
NAT IP address for the spoke-spoke connections as the NAT box does for the spoke-hub connection. If there
is more than one DMVPN spoke behind the same NAT box, then the NAT box must translate the DMVPN
spokes to different outside NAT IP addresses. It is also likely that you may not be able to build a direct
spoke-spoke tunnel between these spokes. If a spoke-spoke tunnel fails to form, then the spoke-spoke packets
will continue to be forwarded via the spoke-hub-spoke path.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

9
Dynamic Multipoint VPN
Call Admission Control with DMVPN

Figure 4: NAT-Transparency Aware DMVPN

Call Admission Control with DMVPN

In a DMVPN network, it is easy for a DMVPN router to become “overwhelmed” with the number of tunnels
it is trying to build. Call Admission Control can be used to limit the number of tunnels that can be built at any
one time, thus protecting the memory of the router and CPU resources.
It is most likely that Call Admission Control will be used on a DMVPN spoke to limit the total number of
ISAKMP sessions (DMVPN tunnels) that a spoke router will attempt to initiate or accept. This limiting is
accomplished by configuring an IKE SA limit under Call Admission Control, which configures the router to
drop new ISAKMP session requests (inbound and outbound) if the current number of ISAKMP SAs exceeds
the limit.
It is most likely that Call Admission Control will be used on a DMVPN hub to rate limit the number of
DMVPN tunnels that are attempting to be built at the same time. The rate limiting is accomplished by
configuring a system resource limit under Call Admission Control, which configures the router to drop new
ISAKMP session requests (new DMVPN tunnels) when the system utilization is above a specified percentage.
The dropped session requests allow the DMVPN hub router to complete the current ISAKMP session requests,
and when the system utilization drops, it can process the previously dropped sessions when they are reattempted.
No special configuration is required to use Call Admission Control with DMVPN. For information about
configuring Call Admission Control, see the reference in the section “Related Documents.”

NHRP Rate-Limiting Mechanism

NHRP has a rate-limiting mechanism that restricts the total number of NHRP packets from any given interface.
The default values, which are set using the ip nhrp max-send command, are 100 packets every 10 seconds
per interface. If the limit is exceeded, you will get the following system message:

%NHRP-4-QUOTA: Max-send quota of [int]pkts/[int]Sec. exceeded on [chars]

For more information about this system message, see the document 12.4T System Message Guide.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

10
Dynamic Multipoint VPN
How to Configure Dynamic Multipoint VPN (DMVPN)

How to Configure Dynamic Multipoint VPN (DMVPN)

To enable mGRE and IPsec tunneling for hub and spoke routers, you must configure an IPsec profile that
uses a global IPsec policy template and configure your mGRE tunnel for IPsec encryption. This section
contains the following procedures:

Configuring an IPsec Profile

The IPsec profile shares most of the same commands with the crypto map configuration, but only a subset of
the commands are valid in an IPsec profile. Only commands that pertain to an IPsec policy can be issued
under an IPsec profile; you cannot specify the IPsec peer address or the access control list (ACL) to match
the packets that are to be encrypted.

Before you begin

Before configuring an IPsec profile, you must define a transform set by using the crypto ipsec transform-set
command.

SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ipsec profile name
4. set transform-set transform-set-name
5. set identity
6. set security association lifetime {seconds seconds | kilobytes kilobytes}
7. set pfs [group1 | group14 | group15 | group16 | group19 | group2 | group20 | group24 | group5]

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables higher privilege levels, such as privileged EXEC
mode.
Example:
Enter your password if prompted.
Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

11
Dynamic Multipoint VPN
Configuring an IPsec Profile

Command or Action Purpose

Step 3 crypto ipsec profile name Defines the IPsec parameters that are to be used for IPsec
encryption between “spoke and hub” and “spoke and spoke”
Example:
routers.
Router(config)# This command enters crypto map configuration mode.
crypto ipsec profile vpnprof
• The name argument specifies the name of the IPsec
profile.

Step 4 set transform-set transform-set-name Specifies which transform sets can be used with the IPsec
profile.
Example:
• The transform-set-name argument specifies the name
Router(config-crypto-map)# set transform-set trans2 of the transform set.

Step 5 set identity (Optional) Specifies identity restrictions to be used with the
IPsec profile.
Example:

Router(config-crypto-map)# set identity

Step 6 set security association lifetime {seconds seconds | (Optional) Overrides the global lifetime value for the IPsec
kilobytes kilobytes} profile.
Example: • The seconds seconds option specifies the number of
seconds a security association will live before expiring;
Router(config-crypto-map)# set security association the kilobytes kilobytesoption specifies the volume of
lifetime seconds 1800 traffic (in kilobytes) that can pass between IPsec peers
using a given security association before that security
association expires.
• The default for the seconds argument is 3600 seconds.

Step 7 set pfs [group1 | group14 | group15 | group16 | group19 (Optional) Specifies that IPsec should ask for perfect
| group2 | group20 | group24 | group5] forward secrecy (PFS) when requesting new security
associations for this IPsec profile. If this command is not
Example:
specified, the default Diffie-Hellman (DH) group, group1
will be enabled.
Router(config-crypto-map)# set pfs group14
• 1—768-bit DH (No longer recommended.)
• 2—1024-bit DH (No longer recommended)
• 5—1536-bit DH (No longer recommended)
• 14—Specifies the 2048-bit DH group.
• 15—Specifies the 3072-bit DH group.
• 16—Specifies the 4096-bit DH group.
• 19—Specifies the 256-bit elliptic curve DH (ECDH)
group.
• 20—Specifies the 384-bit ECDH group.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

12
Dynamic Multipoint VPN
What to Do Next

Command or Action Purpose

• 24—Specifies the 2048-bit DH/DSA group.

What to Do Next
Proceed to the following sections “Configuring the Hub for DMVPN” and “Configuring the Spoke for
DMVPN.”

Configuring the Hub for DMVPN

To configure the hub router for mGRE and IPsec integration (that is, associate the tunnel with the IPsec profile
configured in the previous procedure), use the following commands:

Note NHRP network IDs are locally significant and can be different. It makes sense from a deployment and
maintenance perspective to use unique network IDnumbers (using the ip nhrp network-id command) across
all routers in a DMVPN network, but it is not necessary that they be the same.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip address ip-address mask secondary
5. ip mtu bytes
6. ip nhrp authentication string
7. ip nhrp map multicast dynamic
8. ip nhrp network-id number
9. tunnel source {ip-address | type number}
10. tunnel key key-number
11. tunnel mode gre multipoint
12. tunnel protection ipsec profile name
13. bandwidth kbps
14. ip tcp adjust-mss max-segment-size
15. ip nhrp holdtime seconds
16. delay number

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables higher privilege levels, such as privileged EXEC
mode.
Example:
Enter your password if prompted.
Router> enable

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

13
Dynamic Multipoint VPN
Configuring the Hub for DMVPN

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.
Example:

Router# configure terminal

Step 3 interface tunnel number Configures a tunnel interface and enters interface
configuration mode
Example:
• The number argument specifies the number of the
Router(config)# tunnel interface that you want to create or configure.
interface tunnel 5 There is no limit on the number of tunnel interfaces
you can create.

Step 4 ip address ip-address mask secondary Sets a primary or secondary IP address for the tunnel
interface.
Example:
Note All hubs and spokes that are in the same
Router(config-if)# ip address 10.0.0.1 DMVPN network must be addressed in the
255.255.255.0 same IP subnet.

Step 5 ip mtu bytes Sets the maximum transmission unit (MTU) size, in bytes,
of IP packets sent on an interface.
Example:

Router(config-if)# ip mtu 1400

Step 6 ip nhrp authentication string Configures the authentication string for an interface using
NHRP.
Example:
Note The NHRP authentication string must be set to
Router(config-if)# ip nhrp authentication donttell the same value on all hubs and spokes that are
in the same DMVPN network.

Step 7 ip nhrp map multicast dynamic Allows NHRP to automatically add spoke routers to the
multicast NHRP mappings.
Example:

Router(config-if)# ip nhrp map multicast dynamic

Step 8 ip nhrp network-id number Enables NHRP on an interface.

Example: • The number argument specifies a globally unique
32-bit network identifier from a nonbroadcast
Router(config-if)# ip nhrp network-id 99 multiaccess (NBMA) network. The range is from 1
to 4294967295.

Step 9 tunnel source {ip-address | type number} Sets source address for a tunnel interface.
Example:

Router (config-if)# tunnel source Ethernet0

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

14
Dynamic Multipoint VPN
Configuring the Hub for DMVPN

Command or Action Purpose

Step 10 tunnel key key-number (Optional) Enables an ID key for a tunnel interface.
Example: • The key-number argument specifies a number from
0 to 4,294,967,295 that identifies the tunnel key.
Router (config-if)# tunnel key 100000
Note The key number must be set to the same value
on all hubs and spokes that are in the same
DMVPN network.

Note This command should not be configured if you

are using a Cisco 6500 or Cisco 7600 platform.

Step 11 tunnel mode gre multipoint Sets the encapsulation mode to mGRE for the tunnel
interface.
Example:

Router(config-if)#
tunnel mode gre multipoint

Step 12 tunnel protection ipsec profile name Associates a tunnel interface with an IPsec profile.
Example: • The name argument specifies the name of the IPsec
profile; this value must match the name specified in
Router(config-if)# the crypto ipsec profile namecommand.
tunnel protection ipsec profile vpnprof

Step 13 bandwidth kbps Sets the current bandwidth value for an interface to
higher-level protocols.
Example:
• The kbps argument specifies the bandwidth in kilobits
Router(config-if)# bandwidth 1000 per second. The default value is 9. The recommend
bandwidth value is 1000 or greater.

Setting the bandwidth value to at least 1000 is critical if

EIGRP is used over the tunnel interface. Higher bandwidth
values may be necessary depending on the number of
spokes supported by a hub.

Step 14 ip tcp adjust-mss max-segment-size Adjusts the maximum segment size (MSS) value of TCP
packets going through a router.
Example:
• The max-segment-size argument specifies the
Router(config-if)# ip tcp adjust-mss 1360 maximum segment size, in bytes. The range is from
500 to 1460.

The recommended value is 1360 when the number of IP

MTU bytes is set to 1400. With these recommended
settings, TCP sessions quickly scale back to 1400-byte IP
packets so the packets will “fit” in the tunnel.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

15
Dynamic Multipoint VPN
Configuring the Spoke for DMVPN

Command or Action Purpose

Step 15 ip nhrp holdtime seconds Changes the number of seconds that NHRP NBMA
addresses are advertised as valid in authoritative NHRP
Example:
responses.
Router(config-if)# ip nhrp holdtime 450 • The seconds argument specifies the time in seconds
that NBMA addresses are advertised as valid in
positive authoritative NHRP responses. The
recommended value ranges from 300 seconds to 600
seconds.

Step 16 delay number (Optional) Used to change the EIGRP routing metric for
routes learned over the tunnel interface.
Example:
• The number argument specifies the delay time in
Router(config-if)# delay 1000 seconds. The recommend value is 1000.

Configuring the Spoke for DMVPN

To configure spoke routers for mGRE and IPsec integration, use the following commands.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip address ip-address mask secondary
5. ip mtu bytes
6. ip nhrp authentication string
7. ip nhrp map hub-tunnel-ip-address hub-physical-ip-address
8. ip nhrp map multicast hub-physical-ip-address
9. ip nhrp nhs hub-tunnel-ip-address
10. ip nhrp network-id number
11. tunnel source {ip-address | type number}
12. tunnel key key-number
13. Do one of the following:
• tunnel mode gre multipoint
• tunnel destination hub-physical-ip-address
14. tunnel protection ipsec profile name
15. bandwidth kbps

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

16
Dynamic Multipoint VPN
Configuring the Spoke for DMVPN

16. ip tcp adjust-mss max-segment-size

17. ip nhrp holdtime seconds
18. delay number

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables higher privilege levels, such as privileged EXEC
mode.
Example:
Enter your password if prompted.
Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 interface tunnel number Configures a tunnel interface and enters interface
configuration mode.
Example:
• The number argument specifies the number of the
Router(config)# tunnel interface that you want to create or configure.
interface tunnel 5 There is no limit on the number of tunnel interfaces
you can create.

Step 4 ip address ip-address mask secondary Sets a primary or secondary IP address for the tunnel
interface.
Example:
Note All hubs and spokes that are in the same
Router(config-if)# ip address 10.0.0.2 DMVPN network must be addressed in the
255.255.255.0 same IP subnet.

Step 5 ip mtu bytes Sets the MTU size, in bytes, of IP packets sent on an
interface.
Example:

Router(config-if)# ip mtu 1400

Step 6 ip nhrp authentication string Configures the authentication string for an interface using
NHRP.
Example:
Note The NHRP authentication string be set to the
Router(config-if)# ip nhrp authentication donttell same value on all hubs and spokes that are in
the same DMVPN network.

Step 7 ip nhrp map hub-tunnel-ip-address hub-physical-ip-address Statically configures the IP-to-NBMA address mapping
of IP destinations connected to an MBMA network.
Example:
• hub-tunnel-ip-address --Defines the NHRP server at
Router(config-if)# ip nhrp map 10.0.0.1 172.17.0.1 the hub, which is permanently mapped to the static
public IP address of the hub.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

17
Dynamic Multipoint VPN
Configuring the Spoke for DMVPN

Command or Action Purpose

• hub-physical-ip-address --Defines the static public
IP address of the hub.

Step 8 ip nhrp map multicast hub-physical-ip-address Enables the use of a dynamic routing protocol between the
spoke and hub, and sends multicast packets to the hub
Example:
router.
Router(config-if)# ip nhrp map multicast
172.17.0.1

Step 9 ip nhrp nhs hub-tunnel-ip-address Configures the hub router as the NHRP next-hop server.
Example:

Router(config-if)# ip nhrp nhs 10.0.0.1

Step 10 ip nhrp network-id number Enables NHRP on an interface.

Example: • The number argument specifies a globally unique
32-bit network identifier from a NBMA network. The
Router(config-if)# ip nhrp network-id 99 range is from 1 to 4294967295.

Step 11 tunnel source {ip-address | type number} Sets the source address for a tunnel interface.
Example:

Router (config-if)# tunnel source Ethernet0

Step 12 tunnel key key-number (Optional) Enables an ID key for a tunnel interface.
Example: • The key-number argument specifies a number from
0 to 4,294,967,295 that identifies the tunnel key.
Router (config-if)# tunnel key 100000
• The key number must be set to the same value on all
hubs and spokes that are in the same DMVPN
network.

Note This command should not be configured if you

are using a Cisco 6500 or Cisco 7600 platform.

Step 13 Do one of the following: Sets the encapsulation mode to mGRE for the tunnel
interface.
• tunnel mode gre multipoint
• tunnel destination hub-physical-ip-address Use this command if data traffic can use dynamic
spoke-to-spoke traffic.
Example:
Specifies the destination for a tunnel interface.
Router(config-if)#
tunnel mode gre multipoint
Use this command if data traffic can use hub-and-spoke
tunnels.
Example:

Router(config-if)#
tunnel destination 172.17.0.1

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

18
Dynamic Multipoint VPN
Configuring the Forwarding of Clear-Text Data IP Packets into a VRF

Command or Action Purpose

Step 14 tunnel protection ipsec profile name Associates a tunnel interface with an IPsec profile.
Example: • The name argument specifies the name of the IPsec
profile; this value must match the name specified in
Router(config-if)# the crypto ipsec profile namecommand.
tunnel protection ipsec profile vpnprof

Step 15 bandwidth kbps Sets the current bandwidth value for an interface to
higher-level protocols.
Example:
• The kbps argument specifies the bandwidth in kilobits
Router(config-if)# bandwidth 1000 per second. The default value is 9. The recommend
bandwidth value is 1000 or greater.

The bandwidth setting for the spoke does not need to equal
the bandwidth setting for the DMVPN hub. It is usually
easier if all of the spokes use the same or similar value.

Step 16 ip tcp adjust-mss max-segment-size Adjusts the maximum segment size (MSS) value of TCP
packets going through a router.
Example:
• The max-segment-size argument specifies the
Router(config-if)# ip tcp adjust-mss 1360 maximum segment size, in bytes. The range is from
500 to 1460.

The recommended number value is 1360 when the number

of IP MTU bytes is set to 1400. With these recommended
settings, TCP sessions quickly scale back to 1400-byte IP
packets so the packets will “fit” in the tunnel.

Step 17 ip nhrp holdtime seconds Changes the number of seconds that NHRP NBMA
addresses are advertised as valid in authoritative NHRP
Example:
responses.
Router(config-if)# ip nhrp holdtime 450 • The seconds argument specifies the time in seconds
that NBMA addresses are advertised as valid in
positive authoritative NHRP responses. The
recommended value ranges from 300 seconds to 600
seconds.

Step 18 delay number (Optional) Used to change the EIGRP routing metric for
routes learned over the tunnel interface.
Example:
• The number argument specifies the delay time in
Router(config-if)# delay 1000 seconds. The recommend value is 1000.

Configuring the Forwarding of Clear-Text Data IP Packets into a VRF

To configure the forwarding of clear-text date IP packets into a VRF, perform the following steps. This
configuration assumes that the VRF BLUE has already been configured.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

19
Dynamic Multipoint VPN
Configuring the Forwarding of Encrypted Tunnel Packets into a VRF

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip vrf forwarding vrf-name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables higher privilege levels, such as privileged EXEC
mode.
Example:
Enter your password if prompted.
Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:

Router (config)# interface tunnel0

Step 4 ip vrf forwarding vrf-name Associates a VPN VRF with an interface or subinterface.
Example:

Router (config-if)# ip vrf forwarding BLUE

Configuring the Forwarding of Encrypted Tunnel Packets into a VRF

To configure the forwarding of encrypted tunnel packets into a VRF, perform the following steps. This
configuration assumes that the VRF RED has already been configured.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. tunnel vrf vrf-name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables higher privilege levels, such as privileged EXEC
mode.
Example:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

20
Dynamic Multipoint VPN
Configuring DMVPN--Traffic Segmentation Within DMVPN

Command or Action Purpose

Enter your password if prompted.
Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:

Router (config)# interface tunnel0

Step 4 tunnel vrf vrf-name Associates a VPN VRF instance with a specific tunnel
destination, interface, or subinterface.
Example:

Router (config-if)# tunnel vrf RED

Configuring DMVPN--Traffic Segmentation Within DMVPN

There are no new commands to use for configuring traffic segmentation, but there are tasks you must complete
in order to segment traffic within a DMVPN tunnel:

Prerequisites
The tasks that follow assume that the DMVPN tunnel and the VRFs “red” and “blue” have already been
configured.
For information on configuring a DMVPN tunnel, see the Configuring the Hub for DMVPN task and the
Configuring the Spoke for DMVPN. For details about VRF configuration, see the Configuring the Forwarding
of Clear-Text Data IP Packets into a VRF task and the Configuring the Forwarding of Encrypted Tunnel
Packets into a VRF task.

Enabling MPLS on the VPN Tunnel

Because traffic segmentation within a DMVPN tunnel depends upon MPLS, you must configure MPLS for
each VRF instance in which traffic will be segmented. For detailed information about configuring MPLS, see
Cisco IOS Multiprotocol Label Switching Configuration Guide, Release 12.4.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. mpls ip

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

21
Dynamic Multipoint VPN
Configuring Multiprotocol BGP on the Hub Router

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables higher privilege levels, such as privileged EXEC
mode.
Example:
Enter your password if prompted.
Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:

Router (config)# interface tunnel0

Step 4 mpls ip Enables MPLS tagging of packets on the specified tunnel

interface.
Example:

Router (config-if)# mpls ip

Configuring Multiprotocol BGP on the Hub Router

You must configure multiprotocol iBGP (MP-iBGP) to enable advertisement of VPNv4 prefixes and labels
to be applied to the VPN traffic. Use BGP to configure the hub as a route reflector. To force all traffic to be
routed via the hub, configure the BGP route reflector to change the next hop to itself when it advertises VPNv4
prefixes to the route reflector clients (spokes).

SUMMARY STEPS
1. enable
2. configure terminal
3. router bgp
4. neighbor ipaddress remote-as as - number
5. neighbor ipaddress update-source interface
6. address-family vpnv4
7. neighbor ipaddress activate
8. neighbor ipaddress send-community extended
9. neighbor ipaddress route-reflector-client
10. neighbor ipaddress route-map nexthop out
11. exit-address-family
12. address-family ipv4 vrf-name
13. redistribute connected
14. route-map
15. set ip next-hop ipaddress

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

22
Dynamic Multipoint VPN
Configuring Multiprotocol BGP on the Hub Router

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables higher privilege levels, such as privileged EXEC
mode.
Example:
• Enter your password if prompted.
Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 router bgp Enters BGP configuration mode.

Example:

Router (config)# router bgp

Step 4 neighbor ipaddress remote-as as - number Adds an entry to the BGP or multiprotocol BGP neighbor
table.
Example:

Router (config)# neighbor 10.0.0.11 remote-as 1

Step 5 neighbor ipaddress update-source interface Configures the Cisco IOS software to allow BGP sessions
to use any operational interface for TCP connections.
Example:

Router (config)# neighbor 10.10.10.11

update-source Tunnel1

Step 6 address-family vpnv4 Enters address family configuration mode to configure a

routing session using Virtual Private Network (VPN)
Example:
Version 4 address prefixes.
Router (config)# address-family vpnv4

Step 7 neighbor ipaddress activate Enables the exchange of information with a BGP neighbor.
Example:

Router (config)# neighbor 10.0.0.11 activate

Step 8 neighbor ipaddress send-community extended Specifies that extended community attributes should be
sent to a BGP neighbor.
Example:

Router (config)# neighbor 10.0.0.11 send-community

extended

Step 9 neighbor ipaddress route-reflector-client Configures the router as a BGP route reflector and
configures the specified neighbor as its client.
Example:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

23
Dynamic Multipoint VPN
Configuring Multiprotocol BGP on the Spoke Routers

Command or Action Purpose

Router (config)# neighbor 10.0.0.11

route-reflector-client

Step 10 neighbor ipaddress route-map nexthop out Forces all traffic to be routed via the hub.
Example:

Router (config)# neighbor 10.0.0.11 route-map

nexthop out

Step 11 exit-address-family Exits the address family configuration mode for VPNv4.
Example:

Router (config)# exit-address-family

Step 12 address-family ipv4 vrf-name Enters address family configuration mode to configure a
routing session using standard IP Version 4 address
Example:
prefixes.
Router (config)# address-family ipv4 vrf red

Step 13 redistribute connected Redistributes routes that are established automatically by

virtue of having enabled IP on an interface from one
Example:
routing domain into another routing domain.
Router (config)# redistribute connected

Step 14 route-map Enters route map configuration mode to configure the

next-hop that will be advertised to the spokes.
Example:

Router (config)# route-map nexthop permit 10

Step 15 set ip next-hop ipaddress Sets the next hop to be the hub.
Example:

Router (config)# set ip next-hop 10.0.0.1

Configuring Multiprotocol BGP on the Spoke Routers

Multiprotocol-iBGP (MP-iBGP) must be configured on the spoke routers and the hub. Follow the steps below
for each spoke router in the DMVPN.

SUMMARY STEPS
1. enable
2. configure terminal
3. router bgp
4. neighbor ipaddress remote-as as - number
5. neighbor ipaddress update-source interface
6. address-family vpnv4

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

24
Dynamic Multipoint VPN
Configuring Multiprotocol BGP on the Spoke Routers

7. neighbor ipaddress activate

8. neighbor ipaddress send-community extended
9. exit-address-family
10. address-family ipv4 vrf-name
11. redistribute connected
12. exit-address-family

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables higher privilege levels, such as privileged EXEC
mode.
Example:
• Enter your password if prompted.
Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 router bgp Enters BGP configuration mode.

Example:

Router (config)# router bgp 1

Step 4 neighbor ipaddress remote-as as - number Adds an entry to the BGP or multiprotocol BGP neighbor
table.
Example:

Router (config)# neighbor 10.0.0.1 remote-as 1

Step 5 neighbor ipaddress update-source interface Configures the Cisco IOS software to allow BGP sessions
to use any operational interface for TCP connections.
Example:

Router (config)# neighbor 10.10.10.1 update-source

Tunnel1

Step 6 address-family vpnv4 Enters address family configuration mode to configure a

routing session using Virtual Private Network (VPN)
Example:
Version 4 address prefixes.
Router (config)# address-family vpnv4

Step 7 neighbor ipaddress activate Enables the exchange of information with a BGP neighbor.
Example:

Router (config)# neighbor 10.0.0.1 activate

Step 8 neighbor ipaddress send-community extended Specifies that extended community attributes should be
sent to a BGP neighbor.
Example:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

25
Dynamic Multipoint VPN
Troubleshooting Dynamic Multipoint VPN (DMVPN)

Command or Action Purpose

Router (config)# neighbor 10.0.0.1 send-community

extended

Step 9 exit-address-family Exits the address family configuration mode.

Example:

Router (config)# exit-address-family

Step 10 address-family ipv4 vrf-name Enters address family configuration mode to configure a
routing session using standard IP Version 4 address
Example:
prefixes.
Router (config)# address-family ipv4 vrf red

Step 11 redistribute connected Redistributes routes that are established automatically by

virtue of having enabled IP on an interface from one
Example:
routing domain into another routing domain.
Router (config)# redistribute connected

Step 12 exit-address-family Exits the address family configuration mode.

Example: Note Repeat Steps 10-12 for each VRF.

Router (config)# exit-address-family

Troubleshooting Dynamic Multipoint VPN (DMVPN)

After configuring DMVPN, to verify that DMVPN is operating correctly, to clear DMVPN statistics or
sessions, or to debug DMVPN, you may perform the following optional steps:

SUMMARY STEPS
1. The clear dmvpn session command is used to clear DMVPN sessions.
2. The clear dmvpn statistics command is used to clear DMVPN related counters. The following example
shows how to clear DMVPN related session counters for the specified tunnel interface:
3. The debug dmvpn command is used to debug DMVPN sessions. You can enable or disable DMVPN
debugging based on a specific condition. There are three levels of DMVPN debugging, listed in the
order of details from lowest to highest:
4. The debug nhrp conditioncommand enables or disables debugging based on a specific condition. The
following example shows how to enable conditional NHRP debugging:
5. The debug nhrp errorcommand displays information about NHRP error activity. The following example
shows how to enable debugging for NHRP error messages:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

26
Dynamic Multipoint VPN
Troubleshooting Dynamic Multipoint VPN (DMVPN)

6. The logging dmvpn command is used to enable DMVPN system logging. The following command
shows how to enable DMVPN system logging at the rate of 1 message every 20 seconds:
7. The show crypto ipsec sacommand displays the settings used by the current SAs. The following example
output shows the IPsec SA status of only the active device:
8. The show crypto isakmp sacommand displays all current IKE SAs at a peer. For example, the following
sample output is displayed after IKE negotiations have successfully completed between two peers.
9. The show crypto map command displays the crypto map configuration.
10. The show dmvpn command displays DMVPN specific session information. The following example
shows example summary output:
11. The show ip nhrp trafficcommand displays NHRP statistics. The following example shows output for
a specific tunnel, tunnel7:

DETAILED STEPS

Step 1 The clear dmvpn session command is used to clear DMVPN sessions.
The following example clears only dynamic DMVPN sessions:
Router# clear dmvpn session peer nbma
The following example clears all DMVPN sessions, both static and dynamic, for the specified tunnel:
Router# clear dmvpn session interface tunnel 100 static

Step 2 The clear dmvpn statistics command is used to clear DMVPN related counters. The following example shows how
to clear DMVPN related session counters for the specified tunnel interface:
Router# clear dmvpn statistics peer tunnel 192.0.2.3

Step 3 The debug dmvpn command is used to debug DMVPN sessions. You can enable or disable DMVPN debugging based
on a specific condition. There are three levels of DMVPN debugging, listed in the order of details from lowest to
highest:
• Error level
• Detail level
• Packet level

The following example shows how to enable conditional DMVPN debugging that displays all error debugs for next
hop routing protocol (NHRP), sockets, tunnel protection and crypto information: Router# debug dmvpn error all

Step 4 The debug nhrp conditioncommand enables or disables debugging based on a specific condition. The following
example shows how to enable conditional NHRP debugging:
Router# debug nhrp condition

Step 5 The debug nhrp errorcommand displays information about NHRP error activity. The following example shows how
to enable debugging for NHRP error messages:
Router# debug nhrp error

Step 6 The logging dmvpn command is used to enable DMVPN system logging. The following command shows how to
enable DMVPN system logging at the rate of 1 message every 20 seconds:
Router(config)# logging dmvpn rate-limit 20

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

27
Dynamic Multipoint VPN
Troubleshooting Dynamic Multipoint VPN (DMVPN)

The following example shows a sample system log with DMVPN messages:
Example:

%DMVPN-7-CRYPTO_SS: Tunnel101-192.0.2.1 socket is UP

%DMVPN-5-NHRP_NHS: Tunnel101 192.0.2.251 is UP
%DMVPN-5-NHRP_CACHE: Client 192.0.2.2 on Tunnel1 Registered.
%DMVPN-5-NHRP_CACHE: Client 192.0.2.2 on Tunnel101 came UP.
%DMVPN-3-NHRP_ERROR: Registration Request failed for 192.0.2.251 on Tunnel101

Step 7 The show crypto ipsec sacommand displays the settings used by the current SAs. The following example output shows
the IPsec SA status of only the active device:
Example:

Router#
show crypto ipsec sa active
interface: Ethernet0/0
Crypto map tag: to-peer-outside, local addr 209.165.201.3
protected vrf: (none
local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/0/0)
current_peer 209.165.200.225 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 209.165.201.3, remote crypto endpt.: 209.165.200.225
path mtu 1500, media mtu 1500
current outbound spi: 0xD42904F0(3559458032)
inbound esp sas:
spi: 0xD3E9ABD0(3555306448)
transform: esp-aes ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: 6, crypto map: to-peer-outside
sa timing: remaining key lifetime (k/sec): (4586265/3542)
HA last key lifetime sent(k): (4586267)
ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79C
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

Step 8 The show crypto isakmp sacommand displays all current IKE SAs at a peer. For example, the following sample output
is displayed after IKE negotiations have successfully completed between two peers.
Example:

Router# show crypto isakmp sa

dst src state conn-id slot
172.17.63.19 172.16.175.76 QM_IDLE 2 0
172.17.63.19 172.17.63.20 QM_IDLE 1 0
172.16.175.75 172.17.63.19 QM_IDLE 3 0

Step 9 The show crypto map command displays the crypto map configuration.
The following sample output is displayed after a crypto map has been configured:
Example:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

28
Dynamic Multipoint VPN
Troubleshooting Dynamic Multipoint VPN (DMVPN)

Router# show crypto map

Crypto Map "Tunnel5-head-0" 10 ipsec-isakmp
Profile name: vpnprof
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={trans2, }
Crypto Map "Tunnel5-head-0" 20 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 172.16.175.75
Extended IP access list
access-list permit gre host 172.17.63.19 host 172.16.175.75
Current peer: 172.16.175.75
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={trans2, }
Crypto Map "Tunnel5-head-0" 30 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 172.17.63.20
Extended IP access list
access-list permit gre host 172.17.63.19 host 172.17.63.20
Current peer: 172.17.63.20
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={trans2, }
Crypto Map "Tunnel5-head-0" 40 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 172.16.175.76
Extended IP access list
access-list permit gre host 172.17.63.19 host 172.16.175.76
Current peer: 172.16.175.76
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={trans2, }
Interfaces using crypto map Tunnel5-head-0:
Tunnel5

Step 10 The show dmvpn command displays DMVPN specific session information. The following example shows example
summary output:
Example:

Router# show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
! The line below indicates that the sessions are being displayed for Tunnel1.
! Tunnel1 is acting as a spoke and is a peer with three other NBMA peers.
Tunnel1, Type: Spoke, NBMA Peers: 3,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 192.0.2.21 192.0.2.116 IKE 3w0d D
1 192.0.2.102 192.0.2.11 NHRP 02:40:51 S
1 192.0.2.225 192.0.2.10 UP 3w0d S
Tunnel2, Type: Spoke, NBMA Peers: 1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.0.2.25 192.0.2.171 IKE never S

Step 11 The show ip nhrp trafficcommand displays NHRP statistics. The following example shows output for a specific tunnel,
tunnel7:
Router# show ip nhrp traffic interface tunnel7

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

29
Dynamic Multipoint VPN
What to Do Next

Example:

Tunnel7: Max-send limit:100Pkts/10Sec, Usage:0%

Sent: Total 79
18 Resolution Request 10 Resolution Reply 42 Registration Request
0 Registration Reply 3 Purge Request 6 Purge Reply
0 Error Indication 0 Traffic Indication
Rcvd: Total 69
10 Resolution Request 15 Resolution Reply 0 Registration Request
36 Registration Reply 6 Purge Request 2 Purge Reply
0 Error Indication 0 Traffic Indication

What to Do Next
If you have troubleshooted your DMVPN configuration and proceed to contact technical support, the show
tech-support command includes information for DMVPN sessions. For more information, see the show
tech-supportcommand in the Cisco IOS Configuration Fundamentals Command Reference.

Configuration Examples for Dynamic Multipoint VPN (DMVPN)

Feature
Example Hub Configuration for DMVPN
In the following example, which configures the hub router for multipoint GRE and IPsec integration, no
explicit configuration lines are needed for each spoke; that is, the hub is configured with a global IPsec policy
template that all spoke routers can talk to. In this example, EIGRP is configured to run over the private physical
interface and the tunnel interface.

crypto isakmp policy 1

encr aes
authentication pre-share
group 14
crypto isakmp key cisco47 address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
! Ensures longer packets are fragmented before they are encrypted; otherwise, the receiving
router would have to do the reassembly.
ip mtu 1400
! The following line must match on all nodes that “want to use” this mGRE tunnel:
ip nhrp authentication donttell
! Note that the next line is required only on the hub.
ip nhrp map multicast dynamic
! The following line must match on all nodes that want to use this mGRE tunnel:
ip nhrp network-id 99

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

30
Dynamic Multipoint VPN
Example Spoke Configuration for DMVPN

ip nhrp holdtime 300

! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not advertise
routes that are learned via the mGRE interface back out that interface.
no ip split-horizon eigrp 1
! Enables dynamic, direct spoke-to-spoke tunnels when using EIGRP.
no ip next-hop-self eigrp 1
ip tcp adjust-mss 1360
delay 1000
! Sets IPsec peer address to Ethernet interface’s public address.
tunnel source Ethernet0
tunnel mode gre multipoint
! The following line must match on all nodes that want to use this mGRE tunnel.
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0
ip address 172.17.0.1 255.255.255.0
!
interface Ethernet1
ip address 192.168.0.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.0.0 0.0.0.255
!

For information about defining and configuring ISAKMP profiles, see the references in the “Related
Documents” section.

Example Spoke Configuration for DMVPN

In the following example, all spokes are configured the same except for tunnel and local interface address,
thereby, reducing necessary configurations for the user:

crypto isakmp policy 1

encr aes
authentication pre-share
group 14
crypto isakmp key cisco47 address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.2 255.255.255.0
ip mtu 1400
! The following line must match on all nodes that want to use this mGRE tunnel:
ip nhrp authentication donttell
! Definition of NHRP server at the hub (10.0.0.1), which is permanently mapped to the static
public address of the hub (172.17.0.1).
ip nhrp map 10.0.0.1 172.17.0.1
! Sends multicast packets to the hub router, and enables the use of a dynamic routing
protocol between the spoke and the hub.
ip nhrp map multicast 172.17.0.1
! The following line must match on all nodes that want to use this mGRE tunnel:
ip nhrp network-id 99
ip nhrp holdtime 300
! Configures the hub router as the NHRP next-hop server.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

31
Dynamic Multipoint VPN
Example VRF Aware DMVPN

ip nhrp nhs 10.0.0.1

ip tcp adjust-mss 1360
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
! The following line must match on all nodes that want to use this mGRE tunnel:
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
! This is a spoke, so the public address might be dynamically assigned via DHCP.
interface Ethernet0
ip address dhcp hostname Spoke1
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
!
! EIGRP is configured to run over the inside physical interface and the tunnel.
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255

Example VRF Aware DMVPN

When configuring VRF Aware DMVPN, you must create a separate DMVPN network for each VRF instance.
In the following example, there are two DMVPN networks: BLUE and RED. In addition, a separate source
interface has been used on the hub for each DMVPN tunnel--a must for Cisco IOS Release 12.2(18)SXE. For
other Cisco IOS releases, you can configure the same tunnel source for both of the tunnel interfaces, but you
must configure the tunnel keyand tunnel protection (tunnel protection ipsec profile{name}
shared)commands.

Note If you use the shared keyword, then you should be running Cisco IOS Release 12.4(5) or Release 12.4(6)T,
or a later release. Otherwise the IPsec/GRE tunnels under the two mGRE tunnel interfaces may not function
correctly.

Hub Configuration

interface Tunnel0
! Note the next line.
ip vrf forwarding BLUE
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
ip mtu 1436
! Note the next line.
ip nhrp authentication BLUE!KEY
ip nhrp map multicast dynamic
! Note the next line
ip nhrp network-id 100000
ip nhrp holdtime 600
no ip split-horizon eigrp 1
no ip next-hop-self eigrp 1
ip tcp adjust-mss 1360
delay 1000
! Note the next line.
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof!

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

32
Dynamic Multipoint VPN
Example VRF Aware DMVPN

interface Tunnel1
! Note the next line.
ip vrf forwarding RED
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
ip mtu 1436
! Note the next line.
ip nhrp authentication RED!KEY
ip nhrp map multicast dynamic
! Note the next line.
ip nhrp network-id 20000
ip nhrp holdtime 600
no ip split-horizon eigrp 1
no ip next-hop-self eigrp 1
ip tcp adjust-mss 1360
delay 1000
! Note the next line.
tunnel source Ethernet1
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof!
interface Ethernet0
ip address 172.17.0.1 255.255.255.0
interface Ethernet1
ip address 192.0.2.171 255.255.255.0

Note For the hub configuration shown above, a separate DMVPN network is configured for each VPN. The NHRP
network ID and authentication keys must be unique on the two mGRE interfaces.

EIGRP Configuration on the Hub

router eigrp 1
auto-summary
!
address-family ipv4 vrf BLUE
network 10.0.0.0 0.0.0.255
no auto-summary
autonomous-system 1
exit-address-family
!
address-family ipv4 vrf RED
network 10.0.0.0 0.0.0.255
no auto-summary
autonomous-system 1
exit-address-family

Spoke Configurations

Spoke 1:

interface Tunnel0
bandwidth 1000
ip address 10.0.0.2 255.255.255.0
ip mtu 1436
! Note the next line.
ip nhrp authentication BLUE!KEY
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp network-id 100000

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

33
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (with BGP only)

ip nhrp holdtime 300

ip nhrp nhs 10.0.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel mode gre multipoint
tunnel source Ethernet0
tunnel destination 172.17.0.1
tunnel protection ipsec profile vpnprof

Spoke 2:

interface Tunnel0
bandwidth 1000
ip address 10.0.0.2 255.255.255.0
ip mtu 1436
ip nhrp authentication RED!KEY
ip nhrp map 10.0.0.1 192.0.2.171
ip nhrp network-id 200000
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Ethernet0
tunnel destination 192.0.2.171
tunnel protection ipsec profile vpnprof!

Example 2547oDMVPN with Traffic Segmentation (with BGP only)

The following example show a traffic segmentation configuration in which traffic is segmented between two
spokes that serve as provider edge (PE) devices.

Hub Configuration

hostname hub-pe1
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
clock timezone EST 0
ip cef
no ip domain lookup
!This section refers to the forwarding table for VRF blue:
ip vrf blue
rd 2:2
route-target export 2:2
route-target import 2:2
!This section refers to the forwarding table for VRF red:
ip vrf red
rd 1:1
route-target export 1:1
route-target import 1:1
mpls label protocol ldp
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set t1 esp-aes
mode transport

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

34
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (with BGP only)

crypto ipsec profile prof

set transform-set t1
interface Tunnel1
ip address 10.9.9.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1
!The command below enables MPLS on the DMVPN network:
mpls ip
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile prof
interface Loopback0
ip address 10.0.0.1 255.255.255.255
interface Ethernet0/0
ip address 172.0.0.1 255.255.255.0
!The multiprotocol BGP route reflector (the hub) configuration changes the next-hop
information to set itself as the next-hop and assigns a new VPN label for the prefixes
learned from the spokes and advertises the VPN prefix:
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 10.0.0.11 remote-as 1
neighbor 10.0.0.11 update-source Tunnel1
neighbor 10.0.0.12 remote-as 1
neighbor 10.0.0.12 update-source Tunnel1
no auto-summary
address-family vpnv4
neighbor 10.0.0.11 activate
neighbor 10.0.0.11 send-community extended
neighbor 10.0.0.11 route-reflector-client
neighbor 10.0.0.11 route-map NEXTHOP out
neighbor 10.0.0.12 activate
neighbor 10.0.0.12 send-community extended
neighbor 10.0.0.12 route-reflector-client
neighbor 10.0.0.12 route-map NEXTHOP out
exit-address-family
address-family ipv4 vrf red
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf blue
redistribute connected
no synchronization
exit-address-family
no ip http server
no ip http secure-server
!In this route map information, the hub sets the next hop to itself, and the VPN prefixes
are advertised:
route-map NEXTHOP permit 10
set ip next-hop 10.0.0.1
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
no login
end

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

35
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (with BGP only)

Spoke Configurations

Spoke 2

hostname spoke-pe2
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
clock timezone EST 0
ip cef
no ip domain lookup
!This section refers to the forwarding table for VRF blue:
ip vrf blue
rd 2:2
route-target export 2:2
route-target import 2:2
!This section refers to the forwarding table for VRF red:
ip vrf red
rd 1:1
route-target export 1:1
route-target import 1:1
mpls label protocol ldp
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set t1 esp-aes
mode transport
crypto ipsec profile prof
set transform-set t1
interface Tunnel1
ip address 10.0.0.11 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.1 172.0.0.1
ip nhrp map multicast 172.0.0.1
ip nhrp network-id 1
ip nhrp nhs 10.0.0.1
!The command below enables MPLS on the DMVPN network:
mpls ip
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile prof
interface Loopback0
ip address 10.9.9.11 255.255.255.255
interface Ethernet0/0
ip address 172.0.0.11 255.255.255.0
!
!
interface Ethernet1/0
ip vrf forwarding red
ip address 192.168.11.2 255.255.255.0
interface Ethernet2/0
ip vrf forwarding blue
ip address 192.168.11.2 255.255.255.0
!The multiprotocol BGP route reflector (the hub) configuration changes the next-hop
information to set itself as the next-hop and assigns a new VPN label for the prefixes
learned from the spokes and advertises the VPN prefix:
router bgp 1
no synchronization

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

36
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (with BGP only)

bgp log-neighbor-changes
neighbor 10.0.0.1 remote-as 1
neighbor 10.0.0.1 update-source Tunnel1
no auto-summary
address-family vpnv4
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community extended
exit-address-family
!
address-family ipv4 vrf red
redistribute connected
no synchronization
exit-address-family
!
address-family ipv4 vrf blue
redistribute connected
no synchronization
exit-address-family
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
no login
end

Spoke 3

hostname spoke-PE3
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
clock timezone EST 0
ip cef
no ip domain lookup
!This section refers to the forwarding table for VRF blue:
ip vrf blue
rd 2:2
route-target export 2:2
route-target import 2:2
!This section refers to the forwarding table for VRF red:
ip vrf red
rd 1:1
route-target export 1:1
route-target import 1:1
mpls label protocol ldp
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set t1 esp-aes
mode transport
crypto ipsec profile prof
set transform-set t1
interface Tunnel1
ip address 10.0.0.12 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

37
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (Enterprise Branch)

ip nhrp map 10.0.0.1 172.0.0.1

ip nhrp map multicast 172.0.0.1
ip nhrp network-id 1
ip nhrp nhs 10.0.0.1
!The command below enables MPLS on the DMVPN network:
mpls ip
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile prof
!
interface Loopback0
ip address 10.9.9.12 255.255.255.255
interface Ethernet0/0
ip address 172.0.0.12 255.255.255.0
interface Ethernet1/0
ip vrf forwarding red
ip address 192.168.12.2 255.255.255.0
interface Ethernet2/0
ip vrf forwarding blue
ip address 192.168.12.2 255.255.255.0
!The multiprotocol BGP route reflector (the hub) configuration changes the next-hop
information to set itself as the next-hop and assigns a new VPN label for the prefixes
learned from the spokes and advertises the VPN prefix:
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 10.0.0.1 remote-as 1
neighbor 10.0.0.1 update-source Tunnel1
no auto-summary
address-family vpnv4
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community extended
exit-address-family
address-family ipv4 vrf red
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf blue
redistribute connected
no synchronization
exit-address-family
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
no login
end

Example 2547oDMVPN with Traffic Segmentation (Enterprise Branch)

The following example shows a configuration for segmenting traffic between two spokes located at branch
offices of an enterprise. In this example, EIGRP is configured to learn routes to reach BGP neighbors within
the DMVPN.

Hub Configuration

hostname HUB
boot-start-marker

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

38
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (Enterprise Branch)

boot-end-marker
no aaa new-model
resource policy
clock timezone EST 0
ip cef
no ip domain lookup
!This section refers to the forwarding table for VRF blue:
ip vrf blue
rd 2:2
route-target export 2:2
route-target import 2:2
!This refers to the forwarding table for VRF red:
ip vrf red
rd 1:1
route-target export 1:1
route-target import 1:1
mpls label protocol ldp
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set t1 esp-aes
mode transport
crypto ipsec profile prof
set transform-set t1
interface Tunnel1
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1
!EIGRP is enabled on the DMVPN network to learn the IGP prefixes:
no ip split-horizon eigrp 1
!The command below enables MPLS on the DMVPN network:
mpls ip
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile prof
!This address is advertised by EIGRP and used as the BGP endpoint:
interface Loopback0
ip address 10.9.9.1 255.255.255.255
interface Ethernet0/0
ip address 172.0.0.1 255.255.255.0
!EIGRP is configured to learn the BGP peer addresses (10.9.9.x networks)
router eigrp 1
network 10.9.9.1 0.0.0.0
network 10.0.0.0 0.0.0.255
no auto-summary
!The multiprotocol BGP route reflector (the hub) configuration changes the next-hop
information to set itself as the next-hop and assigns a new VPN label for the prefixes
learned from the spokes and advertises the VPN prefix:
router bgp 1
no synchronization
bgp router-id 10.9.9.1
bgp log-neighbor-changes
neighbor 10.9.9.11 remote-as 1
neighbor 10.9.9.11 update-source Loopback0
neighbor 10.9.9.12 remote-as 1
neighbor 10.9.9.12 update-source Loopback0
no auto-summary
address-family vpnv4
neighbor 10.9.9.11 activate
neighbor 10.9.9.11 send-community extended

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

39
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (Enterprise Branch)

neighbor 10.9.9.11 route-reflector-client

neighbor 10.9.9.12 activate
neighbor 10.9.9.12 send-community extended
neighbor 10.9.9.12 route-reflector-client
exit-address-family
address-family ipv4 vrf red
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf blue
redistribute connected
no synchronization
exit-address-family
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
no login
end

Spoke Configurations

Spoke 2

hostname Spoke2
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
clock timezone EST 0
ip cef
no ip domain lookup
!This section refers to the forwarding table for VRF blue:
ip vrf blue
rd 2:2
route-target export 2:2
route-target import 2:2
!This section refers to the forwarding table for VRF red:
ip vrf red
rd 1:1
route-target export 1:1
route-target import 1:1
mpls label protocol ldp
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set t1 esp-aes
mode transport
crypto ipsec profile prof
set transform-set t1
interface Tunnel1
ip address 10.0.0.11 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.1 172.0.0.1
ip nhrp map multicast 172.0.0.1

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

40
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (Enterprise Branch)

ip nhrp network-id 1
ip nhrp nhs 10.0.0.1
!The command below enables MPLS on the DMVPN network:
mpls ip
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile prof
!This address is advertised by EIGRP and used as the BGP endpoint:
interface Loopback0
ip address 10.9.9.11 255.255.255.255
interface Ethernet0/0
ip address 172.0.0.11 255.255.255.0
interface Ethernet1/0
ip vrf forwarding red
ip address 192.168.11.2 255.255.255.0
interface Ethernet2/0
ip vrf forwarding blue
ip address 192.168.11.2 255.255.255.0
!EIGRP is enabled on the DMVPN network to learn the IGP prefixes:
router eigrp 1
network 10.9.9.11 0.0.0.0
network 10.0.0.0 0.0.0.255
no auto-summary
!The multiprotocol BGP route reflector (the hub) configuration changes the next-hop
information to set itself as the next-hop and assigns a new VPN label for the prefixes
learned from the spokes and advertises the VPN prefix:
router bgp 1
no synchronization
bgp router-id 10.9.9.11
bgp log-neighbor-changes
neighbor 10.9.9.1 remote-as 1
neighbor 10.9.9.1 update-source Loopback0
no auto-summary
address-family vpnv4
neighbor 10.9.9.1 activate
neighbor 10.9.9.1 send-community extended
exit-address-family
address-family ipv4 vrf red
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf blue
redistribute connected
no synchronization
exit-address-family
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
no login
end

Spoke 3

hostname Spoke3
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
clock timezone EST 0

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

41
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (Enterprise Branch)

ip cef
no ip domain lookup
!This section refers to the forwarding table for VRF blue:
ip vrf blue
rd 2:2
route-target export 2:2
route-target import 2:2
!This section refers to the forwarding table for VRF red:
ip vrf red
rd 1:1
route-target export 1:1
route-target import 1:1
mpls label protocol ldp
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set t1 esp-aes
mode transport
crypto ipsec profile prof
set transform-set t1
interface Tunnel1
ip address 10.0.0.12 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp map 10.0.0.1 172.0.0.1
ip nhrp map multicast 172.0.0.1
ip nhrp network-id 1
ip nhrp nhs 10.0.0.1
!The command below enables MPLS on the DMVPN network:
mpls ip
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile prof
!This address is advertised by EIGRP and used as the BGP endpoint:
interface Loopback0
ip address 10.9.9.12 255.255.255.255
interface Ethernet0/0
ip address 172.0.0.12 255.255.255.0
interface Ethernet1/0
ip vrf forwarding red
ip address 192.168.12.2 255.255.255.0
interface Ethernet2/0
ip vrf forwarding blue
ip address 192.168.12.2 255.255.255.0
!EIGRP is enabled on the DMVPN network to learn the IGP prefixes:
router eigrp 1
network 10.9.9.12 0.0.0.0
network 10.0.0.0 0.0.0.255
no auto-summary
!The multiprotocol BGP route reflector (the hub) configuration changes the next-hop
information to set itself as the next-hop and assigns a new VPN label for the prefixes
learned from the spokes and advertises the VPN prefix:
router bgp 1
no synchronization
bgp router-id 10.9.9.12
bgp log-neighbor-changes
neighbor 10.9.9.1 remote-as 1
neighbor 10.9.9.1 update-source Loopback0
no auto-summary
address-family vpnv4
neighbor 10.9.9.1 activate

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

42
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (Enterprise Branch)

neighbor 10.9.9.1 send-community extended

exit-address-family
address-family ipv4 vrf red
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf blue
redistribute connected
no synchronization
exit-address-family
no ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
no login
end

Sample Command Output: show mpls ldp bindings

Spoke2# show mpls ldp bindings

tib entry: 10.9.9.1/32, rev 8
local binding: tag: 16
remote binding: tsr: 10.9.9.1:0, tag: imp-null
tib entry: 10.9.9.11/32, rev 4
local binding: tag: imp-null
remote binding: tsr: 10.9.9.1:0, tag: 16
tib entry: 10.9.9.12/32, rev 10
local binding: tag: 17
remote binding: tsr: 10.9.9.1:0, tag: 17
tib entry: 10.0.0.0/24, rev 6
local binding: tag: imp-null
remote binding: tsr: 10.9.9.1:0, tag: imp-null
tib entry: 172.0.0.0/24, rev 3
local binding: tag: imp-null
remote binding: tsr: 10.9.9.1:0, tag: imp-null
Spoke2#

Sample Command Output: show mpls forwarding-table

Spoke2# show mpls forwarding-table

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface
16 Pop tag 10.9.9.1/32 0 Tu1 10.0.0.1
17 17 10.9.9.12/32 0 Tu1 10.0.0.1
18 Aggregate 192.168.11.0/24[V] \
0
19 Aggregate 192.168.11.0/24[V] \
0
Spoke2#

Sample Command Output: show ip route vrf red

Spoke2# show ip route vrf red

Routing Table: red
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

43
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (Enterprise Branch)

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
B 192.168.12.0/24 [200/0] via 10.9.9.12, 00:00:02
C 192.168.11.0/24 is directly connected, Ethernet1/0
Spoke2#

Sample Command Output: show ip route vrf blue

Spoke2# show ip route vrf blue

Routing Table: blue
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
B 192.168.12.0/24 [200/0] via 10.9.9.12, 00:00:08
C 192.168.11.0/24 is directly connected, Ethernet2/0
Spoke2#
Spoke2# show ip cef vrf red 192.168.12.0
192.168.12.0/24, version 5, epoch 0
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with Tu1, 10.0.0.1, tags imposed: {17 18}
via 10.9.9.12, 0 dependencies, recursive
next hop 10.0.0.1, Tunnel1 via 10.9.9.12/32
valid adjacency
tag rewrite with Tu1, 10.0.0.1, tags imposed: {17 18}
Spoke2#

Sample Command Output: show ip bgp neighbors

Spoke2# show ip bgp neighbors

BGP neighbor is 10.9.9.1, remote AS 1, internal link

BGP version 4, remote router ID 10.9.9.1
BGP state = Established, up for 00:02:09
Last read 00:00:08, last write 00:00:08, hold time is 180, keepalive interval is 60 seconds

Neighbor capabilities:
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Address family VPNv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 4 4
Keepalives: 4 4
Route Refresh: 0 0
Total: 9 9
Default minimum time between advertisement runs is 0 seconds

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

44
Dynamic Multipoint VPN
Example 2547oDMVPN with Traffic Segmentation (Enterprise Branch)

For address family: IPv4 Unicast

BGP table version 1, neighbor version 1/0
Output queue size : 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 0 0
Prefixes Total: 0 0
Implicit Withdraw: 0 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 0
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
Total: 0 0
Number of NLRIs in the update sent: max 0, min 0
For address family: VPNv4 Unicast
BGP table version 9, neighbor version 9/0
Output queue size : 0
Index 1, Offset 0, Mask 0x2
1 update-group member
Sent Rcvd
Prefix activity: ---- ----
Prefixes Current: 2 2 (Consumes 136 bytes)
Prefixes Total: 4 2
Implicit Withdraw: 2 0
Explicit Withdraw: 0 0
Used as bestpath: n/a 2
Used as multipath: n/a 0
Outbound Inbound
Local Policy Denied Prefixes: -------- -------
ORIGINATOR loop: n/a 2
Bestpath from this peer: 4 n/a
Total: 4 2
Number of NLRIs in the update sent: max 1, min 1
Connections established 1; dropped 0
Last reset never
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled
Local host: 10.9.9.11, Local port: 179
Foreign host: 10.9.9.1, Foreign port: 12365
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x2D0F0):
Timer Starts Wakeups Next
Retrans 6 0 0x0
TimeWait 0 0 0x0
AckHold 7 3 0x0
SendWnd 0 0 0x0
KeepAlive 0 0 0x0
GiveUp 0 0 0x0
PmtuAger 0 0 0x0
DeadWait 0 0 0x0
iss: 3328307266 snduna: 3328307756 sndnxt: 3328307756 sndwnd: 15895
irs: 4023050141 rcvnxt: 4023050687 rcvwnd: 16384 delrcvwnd: 0
SRTT: 165 ms, RTTO: 1457 ms, RTV: 1292 ms, KRTT: 0 ms
minRTT: 0 ms, maxRTT: 300 ms, ACK hold: 200 ms
Flags: passive open, nagle, gen tcbs
IP Precedence value : 6
Datagrams (max data segment is 536 bytes):
Rcvd: 13 (out of order: 0), with data: 7, total data bytes: 545
Sent: 11 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data:
6, total data bytes: 489
Spoke2#

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

45
Dynamic Multipoint VPN
Additional References

Additional References
Related Documents

Call Admission Control Call Admission Control for IKE

GRE tunnel keepalive information The chapter "Implementing Tunnels" in the Interface and
Hardware Component Configuration Guide.

IKE configuration tasks such as defining The chapter "Configuring Internet Key Exchange for IPSec VPNs"
an IKE policy in the Cisco IOS Security Configuration Guide: Secure
Connectivity

IPsec configuration tasks The chapter "Configuring Security for VPNs with IPsec" in the
Cisco IOS Security Configuration Guide: Secure Connectivity

Configuring VRF-Aware IPsec The chapter "VRF-Aware IPsec" in the Cisco IOS Security
Configuration Guide: Secure Connectivity

Configuring MPLS The chapter "Configuring Multiprotocol Label Switching" in the

Cisco IOS Multiprotocol Label Switching Configuration Guide

Configuring BGP The chapter "Cisco BGP Overview" in the Cisco IOS IP Routing:
BGP Protocols Configuration Guide

System messages System Message Guide

Defining and configuring ISAKMP "Certificate to ISAKMP Profile Mapping" chapter in the Cisco
profiles IOS Security Configuration Guide: Secure Connectivity

Implementing Dynamic Multipoint VPN IPv6 Configuration Guide

for IPv6

Recommended cryptographic algorithms Next Generation Encryption

Standards

Standards Title

None --

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

46
Dynamic Multipoint VPN
Feature Information for Dynamic Multipoint VPN (DMVPN)

MIBs

MIBs MIBs Link

None To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use
Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs

RFCs

RFCs Title

RFC 2547 BGP/MPLS VPNs

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

online resources to download documentation, software,
and tools. Use these resources to install and configure
the software and to troubleshoot and resolve technical
issues with Cisco products and technologies. Access to
most tools on the Cisco Support and Documentation
website requires a Cisco.com user ID and password.

Feature Information for Dynamic Multipoint VPN (DMVPN)

The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1: Feature Information for Dynamic Multipoint VPN (DMVPN)

Feature Name Releases Feature Information

DMVPN--Enabling 12.4(11)T The 2547oDMVPN feature allows users to segment VPN traffic
Traffic Segmentation within a DMVPN tunnel by applying MPLS labels to VRF instances
Within DMVPN to indicate the source and destination of each VRF.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

47
Dynamic Multipoint VPN
Glossary

Feature Name Releases Feature Information

Mangeability 12.4(9)T DMVPN session manageabilty was expanded with DMVPN specific
Enhancements for commands for debugging, show output, session and counter control,
DMVPN and system log information.
The following sections provide information about this feature:
• Troubleshooting Dynamic Multipoint VPN (DMVPN)

The following commands were introduced or modified by this feature:

clear dmvpn session, clear dmvpn statistics, debug dmvpn, debug
nhrp condition, debug nhrp error, logging dmvpn, show dmvpn,
show ip nhrp traffic.

DMVPN Phase 2 12.2(18)SXE DMVPN Spoke-to-Spoke functionality was made more production
12.3(9)a ready. If you are using this functionality in a production network,
12.3(8)T1 the minimum release is Release 12.3(9a) or Release 12.3(8)T1.
In Release 12.2(18)SXE, support was added for the Cisco Catalyst
6500 series switch and the Cisco 7600 series router.

-- 12.3(6) Virtual Route Forwarding Integrated DMVPN and Network Address

12.3(7)T Translation-Transparency (NAT-T) Aware DMVPN enhancements
were added. In addition, DMVPN Hub-to-Spoke functionality was
made more production ready. If you are using this functionality in a
production network, the minimum release requirement is Cisco IOS
Release12.3(6) or 12.3(7)T.
The enhancements added in Cisco IOS Release 12.3(6) were
integrated into Cisco IOS Release 12.3(7)T.

Dynamic Multipoint 12.2(13)T The Dynamic Multipoint VPN (DMVPN) feature allows users to
VPN (DMVPN) better scale large and small IPsec Virtual Private Networks (VPNs)
Phase 1 by combining generic routing encapsulation (GRE) tunnels, IP
security (IPsec) encryption, and Next Hop Resolution Protocol
(NHRP).

Glossary
AM --aggressive mode. A mode during IKE negotiation. Compared to MM, AM eliminates several steps,
making it faster but less secure than MM. Cisco IOS software will respond in aggressive mode to an IKE peer
that initiates aggressive mode.
GRE --generic routing encapsulation. Tunnels that provide a specific pathway across the shared WAN and
encapsulate traffic with new packet headers to ensure delivery to specific destinations. The network is private
because traffic can enter a tunnel only at an endpoint. Tunnels do not provide true confidentiality (encryption
does) but can carry encrypted traffic.
GRE tunneling can also be used to encapsulate non-IP traffic into IP and send it over the Internet or IP network.
The Internet Package Exchange (IPX) and AppleTalk protocols are examples of non-IP traffic.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

48
Dynamic Multipoint VPN
Glossary

IKE --Internet Key Exchange. A hybrid protocol that implements Oakley key exchange and Skeme key
exchange inside the ISAKMP framework. Although IKE can be used with other protocols, its initial
implementation is with IPsec. IKE provides authentication of the IPsec peers, negotiates IPsec keys, and
negotiates IPsec security associations.
IPsec --IP security. A framework of open standards developed by the Internet Engineering Task Force (IETF).
IPsec provides security for transmission of sensitive information over unprotected networks such as the
Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec
devices (“peers”), such as Cisco routers.
ISAKMP --Internet Security Association Key Management Protocol. A protocol framework that defines
payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security
association.
MM --main mode. Mode that is slower than aggressive mode but more secure and more flexible than aggressive
mode because it can offer an IKE peer more security proposals. The default action for IKE authentication
(rsa-sig, rsa-encr, or preshared) is to initiate main mode.
NHRP --Next Hop Resolution Protocol. Routers, access servers, and hosts can use NHRP to discover the
addresses of other routers and hosts connected to a NBMA network.
The Cisco implementation of NHRP supports the IETF draft version 11 of NBMA Next Hop Resolution
Protocol (NHRP).
The Cisco implementation of NHRP supports IP Version 4, Internet Packet Exchange (IPX) network layers,
and, at the link layer, ATM, Ethernet, SMDS, and multipoint tunnel networks. Although NHRP is available
on Ethernet, NHRP need not be implemented over Ethernet media because Ethernet is capable of broadcasting.
Ethernet support is unnecessary (and not provided) for IPX.
PFS --Perfect Forward Secrecy. A cryptographic characteristic associated with a derived shared secret value.
With PFS, if one key is compromised, previous and subsequent keys are not compromised, because subsequent
keys are not derived from previous keys.
SA --security association. Describes how two or more entities will utilize security services to communicate
securely. For example, an IPsec SA defines the encryption algorithm (if used), the authentication algorithm,
and the shared session key to be used during the IPsec connection.
Both IPsec and IKE require and use SAs to identify the parameters of their connections. IKE can negotiate
and establish its own SA. The IPsec SA is established either by IKE or by manual user configuration.
transform --The list of operations done on a dataflow to provide data authentication, data confidentiality,
and data compression. One example of a transform is ESP with the 256-bit AES encryption algorithm and
the AH protocol with the HMAC-SHA authentication algorithm.
VPN --Virtual Private Network. A framework that consists of multiple peers transmitting private data securely
to one another over an otherwise public infrastructure. In this framework, inbound and outbound network
traffic is protected using protocols that tunnel and encrypt all data. This framework permits networks to extend
beyond their local topology, while remote users are provided with the appearance and functionality of a direct
network connection.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

49
Dynamic Multipoint VPN
Glossary

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

50
CHAPTER 2
IPv6 over DMVPN
This document describes how to implement the Dynamic Multipoint VPN for IPv6 feature, which allows
users to better scale large and small IPsec Virtual Private Networks (VPNs) by combining generic routing
encapsulation (GRE) tunnels, IP security (IPsec) encryption, and the Next Hop Resolution Protocol (NHRP).
In Dynamic Multipoint Virtual Private Network (DMVPN) for IPv6, the public network (the Internet) is a
pure IPv4 network, and the private network (the intranet) is IPv6 capable.
IPv6 support on DMVPN was extended to the public network (the Internet) facing the Internet service provider
(ISP). The IPv6 transport for DMVPN feature builds IPv6 WAN-side capability into NHRP tunnels and the
underlying IPsec encryption, and enables IPv6 to transport payloads on the Internet.
The IPv6 transport for DMVPN feature is enabled by default. You need not upgrade your private internal
network to IPv6 for the IPv6 transport for DMVPN feature to function. You can have either IPv4 or IPv6
addresses on your local networks.

• Finding Feature Information, on page 51

• Prerequisites for IPv6 over DMVPN, on page 52
• Information About IPv6 over DMVPN, on page 52
• How to Configure IPv6 over DMVPN, on page 54
• Configuration Examples for IPv6 over DMVPN, on page 67
• Additional References, on page 71
• Feature Information for IPv6 over DMVPN, on page 72

Finding Feature Information

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

51
IPv6 over DMVPN
Prerequisites for IPv6 over DMVPN

Prerequisites for IPv6 over DMVPN

• One of the following protocols must be enabled for DMVPN for IPv6 to work: Border Gateway Protocol
(BGP), Enhanced Interior Gateway Routing Protocol (EIGRP), On-Demand Routing (ODR), Open
Shortest Path First (OSPF), and Routing Information Protocol (RIP).
• Every IPv6 NHRP interface is configured with one IPv6 unicast address. This address can be a globally
reachable or unique local address.
• Every IPv6 NHRP interface is configured with one IPv6 link-local address that is unique across all
DMVPN hosts in the DMVPN cloud (that is, the hubs and spokes).

Information About IPv6 over DMVPN

DMVPN for IPv6 Overview
The DMVPN feature combines NHRP routing, multipoint generic routing encapsulation (mGRE) tunnels,
and IPsec encryption to provide users ease of configuration via crypto profiles--which override the requirement
for defining static crypto maps--and dynamic discovery of tunnel endpoints.
This feature relies on the following Cisco enhanced standard technologies:
• NHRP--A client and server protocol where the hub is the server and the spokes are the clients. The hub
maintains an NHRP database of the public interface addresses of each spoke. Each spoke registers its
real address when it boots and queries the NHRP database for real addresses of the destination spokes
to build direct tunnels.
• mGRE tunnel interface--An mGRE tunnel interface allows a single GRE interface to support multiple
IPsec tunnels and simplifies the size and complexity of the configuration.
• IPsec encryption--An IPsec tunnel interface facilitates for the protection of site-to-site IPv6 traffic with
native encapsulation.

In DMVPN for IPv6, the public network (the Internet) is a pure IPv4 network, and the private network (the
intranet) is IPv6 capable. The intranets could be a mix of IPv4 or IPv6 clouds connected to each other using
DMVPN technologies, with the underlying carrier being a traditional IPv4 network.

NHRP Routing
The NHRP protocol resolves a given intranet address (IPv4 or IPv6) to an Internet address (IPv4 nonbroadcast
multiaccess [NBMA] address).
In the figure below, the intranets that are connected over the DMVPN network are IPv6 clouds, and the Internet
is a pure IPv4 cloud. Spokes S1 and S2 are connected to Hub H over the Internet using a statically configured
tunnel. The address of the tunnel itself is the IPv6 domain, because it is another node on the intranet. The
source and destinations address of the tunnel (the mGRE endpoints), however, are always in IPv4, in the
Internet domain. The mGRE tunnel is aware of the IPv6 network because the GRE passenger protocol is an
IPv6 packet, and the GRE transport (or carrier) protocol is an IPv4 packet.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

52
IPv6 over DMVPN
IPv6 NHRP Redirect and Shortcut Features

Figure 5: IPv6 Topology That Triggers NHRP

When an IPv6 host in LAN L1 sends a packet destined to an IPv6 host in LAN L2, the packet is first routed
to the gateway (which is Spoke S1) in LAN L1. Spoke S1 is a dual-stack device, which means both IPv4 and
IPv6 are configured on it. The IPv6 routing table in S1 points to a next hop, which is the IPv6 address of the
tunnel on Spoke S2. This is a VPN address that must be mapped to an NBMA address, triggering NHRP.

IPv6 NHRP Redirect and Shortcut Features

When IPv6 NHRP redirect is enabled, NHRP examines every data packet in the output feature path. If the
data packet enters and leaves on the same logical network, NHRP sends an NHRP traffic indication message
to the source of the data packet. In NHRP, a logical network is identified by the NHRP network ID, which
groups multiple physical interfaces into a single logical network.
When IPv6 NHRP shortcut is enabled, NHRP intercepts every data packet in the output feature path. It checks
to see if there is an NHRP cache entry to the destination of the data packet and, if yes, it replaces the current
output adjacency with the one present in the NHRP cache. The data packet is therefore switched out using
the new adjacency provided by NHRP.

IPv6 Routing
NHRP is automatically invoked for mGRE tunnels carrying the IPv6 passenger protocol. When a packet is
routed and sent to the switching path, NHRP looks up the given next hop and, if required, initiates an NHRP
resolution query. If the resolution is successful, NHRP populates the tunnel endpoint database, which in turn
populates the Cisco Express Forwarding adjacency table. The subsequent packets are Cisco Express Forwarding
switched if Cisco Express Forwarding is enabled.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

53
IPv6 over DMVPN
IPv6 Addressing and Restrictions

IPv6 Addressing and Restrictions

IPv6 allows multiple unicast addresses on a given IPv6 interface. IPv6 also allows special address types, such
as anycast, multicast, link-local addresses, and unicast addresses.
DMVPN for IPv6 has the following addressing restrictions:
• Every IPv6 NHRP interface is configured with one IPv6 unicast address. This address can be a globally
reachable or unique local address.
• Every IPv6 NHRP interface is configured with one IPv6 link-local address that is unique across all
DMVPN hosts in the DMVPN cloud (that is, the hubs and spokes).
• If no other tunnels on the device are using the same tunnel source, then the tunnel source address
can be embedded into an IPv6 address.
• If the device has only one DMVPN IPv6 tunnel, then manual configuration of the IPv6 link-local
address is not required. Instead, use the ipv6 enable command to autogenerate a link-local address.
• If the device has more than one DMVPN IPv6 tunnel, then the link-local address must be manually
configured using the ipv6 address fe80::2001 link-local command.

How to Configure IPv6 over DMVPN

Configuring an IPsec Profile in DMVPN for IPv6

The IPsec profile shares most commands with the crypto map configuration, but only a subset of the commands
are valid in an IPsec profile. Only commands that pertain to an IPsec policy can be issued under an IPsec
profile; you cannot specify the IPsec peer address or the access control list (ACL) to match the packets that
are to be encrypted.

Before you begin

Before configuring an IPsec profile, you must do the following:
• Define a transform set by using the crypto ipsec transform-set command.
• Make sure that the Internet Security Association Key Management Protocol (ISAKMP) profile is
configured with default ISAKMP settings.

SUMMARY STEPS
1. enable
2. configure terminal
3. crypto identity name
4. exit

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

54
IPv6 over DMVPN
Configuring an IPsec Profile in DMVPN for IPv6

5. crypto ipsec profile name

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Device# configure terminal

Step 3 crypto identity name Configures the identity of the device with a given list of
distinguished names (DNs) in the certificate of the device.
Example:

Device(config)# crypto identity device1

Step 4 exit Exits crypto identity configuration mode and enters global
configuration mode.
Example:

Device(config-crypto-identity)# exit

Step 5 crypto ipsec profile name Defines the IPsec parameters that are to be used for IPsec
encryption between "spoke and hub" and "spoke and
Example:
spoke" routers.
Device(config)# crypto ipsec profile example1 This command places the device in crypto map
configuration mode.

Step 6 set transform-set transform-set-name Specifies which transform sets can be used with the IPsec
profile.
Example:

Device(config-crypto-map)# set transform-set

example-set

Step 7 set identity (Optional) Specifies identity restrictions to be used with

the IPsec profile.
Example:

Device(config-crypto-map)# set identity router1

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

55
IPv6 over DMVPN
Configuring the Hub for IPv6 over DMVPN

Command or Action Purpose

Step 8 set security-association lifetime seconds seconds | (Optional) Overrides the global lifetime value for the IPsec
kilobytes kilobytes profile.
Example:

Device(config-crypto-map)# set
security-association lifetime seconds 1800

Step 9 set pfs [group1 | group14 | group15 | group16 | group19 (Optional) Specifies that IPsec should ask for perfect
| group2 | group20 | group24 | group5] forward secrecy (PFS) when requesting new security
associations for this IPsec profile. If this command is not
Example:
specified, the default Diffie-Hellman (DH) group, group1
will be enabled.
Device(config-crypto-map)# set pfs group14
• 1—768-bit DH (No longer recommended.)
• 2—1024-bit DH (No longer recommended)
• 5—1536-bit DH (No longer recommended)
• 14—Specifies the 2048-bit DH group.
• 15—Specifies the 3072-bit DH group.
• 16—Specifies the 4096-bit DH group.
• 19—Specifies the 256-bit elliptic curve DH (ECDH)
group.
• 20—Specifies the 384-bit ECDH group.
• 24—Specifies the 2048-bit DH/DSA group.

Step 10 end Exits crypto map configuration mode and returns to

privileged EXEC mode.
Example:

Device(config-crypto-map)# end

Configuring the Hub for IPv6 over DMVPN

Perform this task to configure the hub device for IPv6 over DMVPN for mGRE and IPsec integration (that
is, associate the tunnel with the IPsec profile configured in the previous procedure).

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

56
IPv6 over DMVPN
Configuring the Hub for IPv6 over DMVPN

7. ipv6 nhrp authentication string

8. ipv6 nhrp map multicast dynamic
9. ipv6 nhrp network-id network-id
10. tunnel source ip-address | ipv6-address | interface-type interface-number
11. tunnel mode {aurp | cayman | dvmrp | eon | gre| gre multipoint[ipv6] | gre ipv6 | ipip
decapsulate-any] | ipsec ipv4 | iptalk | ipv6| ipsec ipv6 | mpls | nos | rbscp
12. Do one of the following:
• tunnel protection ipsec profile name [shared]
• tunnel protection psk key
13. bandwidth {kbps | inherit [kbps] | receive [kbps]}
14. ipv6 nhrp holdtime seconds
15. ipv6 nhrp max-send pkt-count every seconds
16. ip nhrp registration [timeout seconds | no-unique]
17. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Device# configure terminal

Step 3 interface tunnel number Configures a tunnel interface and enters interface
configuration mode.
Example:
• The number argument specifies the number of the
Device(config)# interface tunnel 5 tunnel interfaces that you want to create or configure.
There is no limit on the number of tunnel interfaces
you can create.

Step 4 ipv6 address {ipv6-address / prefix-length | prefix-name Configures an IPv6 address based on an IPv6 general prefix
sub-bits / prefix-length and enables IPv6 processing on an interface.
Example:

Device(config-if)# ipv6 address

2001:DB8:1:1::72/64

Step 5 ipv6 address ipv6-address / prefix-length link-local Configures an IPv6 link-local address for an interface and
enables IPv6 processing on the interface.
Example:
• A unique IPv6 link-local address (across all DMVPN
Device(config-if)# ipv6 address fe80::2001 nodes in a DMVPN network) must be configured.
link-local

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

57
IPv6 over DMVPN
Configuring the Hub for IPv6 over DMVPN

Command or Action Purpose

Step 6 ipv6 mtu bytes Sets the maximum transmission unit (MTU) size of IPv6
packets sent on an interface.
Example:

Device(config-if)# ipv6 mtu 1400

Step 7 ipv6 nhrp authentication string Configures the authentication string for an interface using
the NHRP.
Example:
Note The NHRP authentication string must be set to
Device(config-if)# ipv6 nhrp authentication the same value on all hubs and spokes that are
examplexx in the same DMVPN network.

Step 8 ipv6 nhrp map multicast dynamic Allows NHRP to automatically add routers to the multicast
NHRP mappings.
Example:
Note Effective with Cisco IOS XE Denali 16.3 ipv6
Device(config-if)# ipv6 nhrp map multicast dynamic nhrp map multicast dynamic is enabled by
default.

Step 9 ipv6 nhrp network-id network-id Enables the NHRP on an interface.

Example: Effective with Cisco IOS XE Denali 16.3 ipv6 nhrp
network-id is enabled by default.
Device(config-if)# ipv6 nhrp network-id 99

Step 10 tunnel source ip-address | ipv6-address | interface-type Sets the source address for a tunnel interface.
interface-number
Example:

Device(config-if)# tunnel source ethernet 0

Step 11 tunnel mode {aurp | cayman | dvmrp | eon | gre| gre Sets the encapsulation mode to mGRE for the tunnel
multipoint[ipv6] | gre ipv6 | ipip decapsulate-any] | ipsec interface.
ipv4 | iptalk | ipv6| ipsec ipv6 | mpls | nos | rbscp
Example:

Device(config-if)# tunnel mode gre multipoint

Step 12 Do one of the following: Associates a tunnel interface with an IPsec profile.
• tunnel protection ipsec profile name [shared] • The name argument specifies the name of the IPsec
• tunnel protection psk key profile; this value must match the name specified in
the crypto ipsec profile namecommand.
Example:
or
Router(config-if)# tunnel protection ipsec profile
vpnprof Simplifies the tunnel protection configuration for
Example: pre-shared key (PSK) by creating a default IPsec profile.

Router(config-if)#
tunnel protection psk test1

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

58
IPv6 over DMVPN
Configuring the NHRP Redirect and Shortcut Features on the Hub

Command or Action Purpose

Step 13 bandwidth {kbps | inherit [kbps] | receive [kbps]} Sets the current bandwidth value for an interface to
higher-level protocols.
Example:
• The bandwidth-size argument specifies the bandwidth
Device(config-if)# bandwidth 1200 in kilobits per second. The default value is 9. The
recommended bandwidth value is 1000 or greater.

Step 14 ipv6 nhrp holdtime seconds Changes the number of seconds that NHRP NBMA
addresses are advertised as valid in authoritative NHRP
Example:
responses. The default time is 600 seconds.
Device(config-if)# ipv6 nhrp holdtime 600

Step 15 ipv6 nhrp max-send pkt-count every seconds Changes the maximum frequency at which NHRP packets
can be sent. Number of packets that can be sent in the range
Example:
from 1 to 65535. Default is 100 packets.
Device(config-if)# ipv6 nhrp max-send 10000 every
10

Step 16 ip nhrp registration [timeout seconds | no-unique] Enables the client to not set the unique flag in the NHRP
request and reply packets. The default is no-unique.
Example:

Device(config-if)# ip nhrp registration no-unique

Step 17 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:

Device(config-if)# end

Configuring the NHRP Redirect and Shortcut Features on the Hub

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ipv6 address {ipv6-address / prefix-length | prefix-name sub-bits / prefix-length
5. Do one of the following:
• ipv6 nhrp redirect [ timeout seconds ]
• ipv6 nhrp redirect [interest acl]
6. ipv6 nhrp shortcut
7. end

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

59
IPv6 over DMVPN
Configuring the NHRP Redirect and Shortcut Features on the Hub

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Device# configure terminal

Device(config-if)# ipv6 address 2001:DB8:1:1::72/64

Step 5 Do one of the following: Enables NHRP redirect.

• ipv6 nhrp redirect [ timeout seconds ] or
• ipv6 nhrp redirect [interest acl] Enables the user to specify an ACL.
Example: Note You must configure the ipv6 nhrp redirect
command on a hub.
Device(config-if)# ipv6 nhrp redirect

Example:

Device(config-if)# ipv6 nhrp redirect interest

Step 6 ipv6 nhrp shortcut Enables NHRP shortcut switching.

Example: • You must configure the ipv6 nhrp shortcut command
on a spoke.
Device(config-if)# ipv6 nhrp shortcut
Note Effective with Cisco IOS XE Denali 16.3 ipv6
nhrp shortcut is enabled by default.

Step 7 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:

Device(config-if)# end

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

60
IPv6 over DMVPN
Configuring the Spoke for IPv6 over DMVPN

Configuring the Spoke for IPv6 over DMVPN

Perform this task to configure the spoke for IPv6 over DMVPN.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ipv6 address {ipv6-address / prefix-length | prefix-name sub-bits / prefix-length
5. ipv6 address ipv6-address / prefix-length link-local
6. ipv6 mtu bytes
7. ipv6 nhrp authentication string
8. ipv6 nhrp map ipv6-address nbma-address
9. ipv6 nhrp map multicast ipv4-nbma-address
10. ipv6 nhrp nhs ipv6- nhs-address
11. ipv6 nhrp network-id network-id
12. tunnel source ip-address | ipv6-address | interface-type interface-number
13. Do one of the following:
• tunnel mode {aurp | cayman | dvmrp | eon | gre| gre multipoint [ipv6] | gre ipv6 | ipip
decapsulate-any] | ipsec ipv4 | iptalk | ipv6| ipsec ipv6 | mpls | nos | rbscp
• tunnel destination {host-name | ip-address | ipv6-address}
14. Do one of the following:
• tunnel protection ipsec profile name [shared]
• tunnel protection psk key
15. bandwidth {interzone | total | session} {default | zone zone-name} bandwidth-size
16. ipv6 nhrp holdtime seconds
17. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Device# configure terminal

Step 3 interface tunnel number Configures a tunnel interface and enters interface
configuration mode.
Example:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

61
IPv6 over DMVPN
Configuring the Spoke for IPv6 over DMVPN

Command or Action Purpose

• The number argument specifies the number of the
Device(config)# interface tunnel 5
tunnel interfaces that you want to create or configure.
There is no limit on the number of tunnel interfaces
you can create.

Device(config-if) ipv6 address 2001:DB8:1:1::72/64

Step 6 ipv6 mtu bytes Sets the MTU size of IPv6 packets sent on an interface.
Example:

Device(config-if)# ipv6 mtu 1400

Step 8 ipv6 nhrp map ipv6-address nbma-address Statically configures the IPv6-to-NBMA address mapping
of IPv6 destinations connected to an NBMA network.
Example:
Note Only IPv4 NBMA addresses are supported, not
Device(config-if)# ipv6 nhrp map ATM or Ethernet addresses.
2001:DB8:3333:4::5 10.1.1.1

Step 9 ipv6 nhrp map multicast ipv4-nbma-address Maps destination IPv6 addresses to IPv4 NBMA addresses.
Example:

Device(config-if)# ipv6 nhrp map multicast

10.11.11.99

Step 10 ipv6 nhrp nhs ipv6- nhs-address Specifies the address of one or more IPv6 NHRP servers.
Example:

Device(config-if)# ipv6 nhrp nhs

2001:0DB8:3333:4::5 2001:0DB8::/64

Step 11 ipv6 nhrp network-id network-id Enables the NHRP on an interface.

Example:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

62
IPv6 over DMVPN
Configuring the Spoke for IPv6 over DMVPN

Command or Action Purpose

Note Effective with Cisco IOS XE Denali 16.3 ipv6
Device(config-if)# ipv6 nhrp network-id 99
nhrp network-id is enabled by default.

Step 12 tunnel source ip-address | ipv6-address | interface-type Sets the source address for a tunnel interface.
interface-number
Example:

Device(config-if)# tunnel source ethernet 0

Step 13 Do one of the following: Sets the encapsulation mode to mGRE for the tunnel
interface.
• tunnel mode {aurp | cayman | dvmrp | eon | gre|
gre multipoint [ipv6] | gre ipv6 | ipip • Use the tunnel mode command if data traffic can use
decapsulate-any] | ipsec ipv4 | iptalk | ipv6| ipsec dynamic spoke-to-spoke traffic.
ipv6 | mpls | nos | rbscp
• tunnel destination {host-name | ip-address | or
ipv6-address} Specifies the destination for a tunnel interface.
Example: • Use the tunnel destination command if data traffic
can use hub-and-spoke tunnels.
Device(config-if)# tunnel mode gre multipoint

Example:

Device(config-if)# tunnel destination 10.1.1.1

Step 14 Do one of the following: Associates a tunnel interface with an IPsec profile.
• tunnel protection ipsec profile name [shared] • The name argument specifies the name of the IPsec
• tunnel protection psk key profile; this value must match the name specified in
the crypto ipsec profile namecommand.
Example:
or
Router(config-if)# tunnel protection ipsec profile
vpnprof Simplifies the tunnel protection configuration for
Example: pre-shared key (PSK) by creating a default IPsec profile.

Router(config-if)#
tunnel protection psk test1

Step 15 bandwidth {interzone | total | session} {default | zone Sets the current bandwidth value for an interface to
zone-name} bandwidth-size higher-level protocols.
Example: • The bandwidth-size argument specifies the bandwidth
in kilobits per second. The default value is 9. The
Device(config-if)# bandwidth total 1200 recommended bandwidth value is 1000 or greater.
• The bandwidth setting for the spoke need not equal
the bandwidth setting for the DMVPN hub. It is
usually easier if all of the spokes use the same or
similar value.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

63
IPv6 over DMVPN
Verifying DMVPN for IPv6 Configuration

Command or Action Purpose

Step 16 ipv6 nhrp holdtime seconds Changes the number of seconds that NHRP NBMA
addresses are advertised as valid in authoritative NHRP
Example:
responses.
Device(config-if)# ipv6 nhrp holdtime 3600

Step 17 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:

Device(config-if)# end

Verifying DMVPN for IPv6 Configuration

SUMMARY STEPS
1. enable
2. show dmvpn [ipv4 [vrf vrf-name] | ipv6 [vrf vrf-name]] [debug-condition | [interface tunnel number
| peer {nbma ip-address | network network-mask | tunnel ip-address}] [static] [detail]]
3. show ipv6 nhrp [dynamic [ipv6-address] | incomplete | static] [address | interface ] [brief | detail]
[purge]
4. show ipv6 nhrp multicast [ipv4-address | interface | ipv6-address]
5. show ip nhrp multicast [nbma-address | interface]
6. show ipv6 nhrp summary
7. show ipv6 nhrp traffic [ interfacetunnel number
8. show ip nhrp shortcut
9. show ip route
10. show ipv6 route
11. show nhrp debug-condition

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 show dmvpn [ipv4 [vrf vrf-name] | ipv6 [vrf vrf-name]] Displays DMVPN-specific session information.
[debug-condition | [interface tunnel number | peer
{nbma ip-address | network network-mask | tunnel
ip-address}] [static] [detail]]
Example:

Device# show dmvpn 2001:0db8:1:1::72/64

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

64
IPv6 over DMVPN
Verifying DMVPN for IPv6 Configuration

Command or Action Purpose

Step 3 show ipv6 nhrp [dynamic [ipv6-address] | incomplete Displays NHRP mapping information.
| static] [address | interface ] [brief | detail] [purge]
Example:

Device# show ipv6 nhrp

Step 4 show ipv6 nhrp multicast [ipv4-address | interface | Displays NHRP multicast mapping information.
ipv6-address]
Example:

Device# show ipv6 nhrp multicast

Step 5 show ip nhrp multicast [nbma-address | interface] Displays NHRP multicast mapping information.
Example:

Device# show ip nhrp multicast

Step 6 show ipv6 nhrp summary Displays NHRP mapping summary information.
Example:

Device# show ipv6 nhrp summary

Step 7 show ipv6 nhrp traffic [ interfacetunnel number Displays NHRP traffic statistics information.
Example:

Device# show ipv6 nhrp traffic

Step 8 show ip nhrp shortcut Displays NHRP shortcut information.

Example:

Device# show ip nhrp shortcut

Step 9 show ip route Displays the current state of the IPv4 routing table.
Example:

Device# show ip route

Step 10 show ipv6 route Displays the current contents of the IPv6 routing table.
Example:

Device# show ipv6 route

Step 11 show nhrp debug-condition Displays the NHRP conditional debugging information.
Example:

Device# show nhrp debug-condition

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

65
IPv6 over DMVPN
Monitoring and Maintaining DMVPN for IPv6 Configuration and Operation

Monitoring and Maintaining DMVPN for IPv6 Configuration and Operation

SUMMARY STEPS
1. enable
2. clear dmvpn session [interface tunnel number | peer {ipv4-address | fqdn-string | ipv6-address} | vrf
vrf-name] [static]
3. clear ipv6 nhrp [ipv6-address | counters
4. debug dmvpn {all | error | detail | packet} {all | debug-type}
5. debug nhrp [cache | extension | packet | rate]
6. debug nhrp condition [interface tunnel number | peer {nbma {ipv4-address | fqdn-string | ipv6-address}
| tunnel {ip-address | ipv6-address}} | vrf vrf-name]
7. debug nhrp error

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 clear dmvpn session [interface tunnel number | peer Clears DMVPN sessions.
{ipv4-address | fqdn-string | ipv6-address} | vrf vrf-name]
[static]
Example:

Device# clear dmvpn session

Step 3 clear ipv6 nhrp [ipv6-address | counters Clears all dynamic entries from the NHRP cache.
Example:

Device# clear ipv6 nhrp

Step 4 debug dmvpn {all | error | detail | packet} {all | Displays debug DMVPN session information.
debug-type}
Example:

Device# debug dmvpn

Step 5 debug nhrp [cache | extension | packet | rate] Enables NHRP debugging.
Example:

Device# debug nhrp ipv6

Step 6 debug nhrp condition [interface tunnel number | peer Enables NHRP conditional debugging.
{nbma {ipv4-address | fqdn-string | ipv6-address} | tunnel
{ip-address | ipv6-address}} | vrf vrf-name]

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

66
IPv6 over DMVPN
Configuration Examples for IPv6 over DMVPN

Command or Action Purpose

Example:

Device# debug nhrp condition

Step 7 debug nhrp error Displays NHRP error-level debugging information.

Example:

Device# debug nhrp ipv6 error

Examples

Sample Output for the debug nhrp Command

The following sample output is from the debug nhrpcommand with the ipv6 keyword:

Device# debug nhrp ipv6

Aug 9 13:13:41.486: NHRP: Attempting to send packet via DEST
- 2001:DB8:3c4d:0015:0000:0000:1a2f:3d2c/32
Aug 9 13:13:41.486: NHRP: Encapsulation succeeded.
Aug 9 13:13:41.486: NHRP: Tunnel NBMA addr 11.11.11.99
Aug 9 13:13:41.486: NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 105
Aug 9 13:13:41.486: src: 2001:DB8:3c4d:0015:0000:0000:1a2f:3d2c/32,
dst: 2001:DB8:3c4d:0015:0000:0000:1a2f:3d2c/32
Aug 9 13:13:41.486: NHRP: 105 bytes out Tunnel0
Aug 9 13:13:41.486: NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 125

Configuration Examples for IPv6 over DMVPN

Example: Configuring an IPsec Profile
Device(config)# crypto identity router1

Device(config)# crypto ipsec profile example1

Device(config-crypto-map)# set transform-set example-set
Device(config-crypto-map)# set identity router1

Device(config-crypto-map)# set security-association lifetime seconds 1800

Device(config-crypto-map)# set pfs group14

Example: Configuring the Hub for DMVPN

Device# configure terminal
Device(config)# interface tunnel 5

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

67
IPv6 over DMVPN
Example: Configuring the Hub for DMVPN

Device(config-if)# ipv6 address 2001:DB8:1:1::72/64

Device(config-if)# ipv6 address fe80::2001 link-local
Device(config-if)# ipv6 mtu 1400
Device(config-if)# ipv6 nhrp authentication examplexx
Device(config-if)# ipv6 nhrp map multicast dynamic
Device(config-if)# ipv6 nhrp network-id 99
Device(config-if)# tunnel source ethernet 0
Device(config-if)# tunnel mode gre multipoint
Device(config-if)# tunnel protection ipsec profile example_profile
Device(config-if)# bandwidth 1200
Device(config-if)# ipv6 nhrp holdtime 3600

The following sample output is from the show dmvpn command, with the ipv6 and detail keywords, for the
hub:

Device# show dmvpn ipv6 detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

Interface Tunnel1 is up/up, Addr. is 10.0.0.3, VRF ""

Tunnel Src./Dest. addr: 192.169.2.9/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "test_profile"
Type:Hub, Total NBMA Peers (v4/v6): 2
1.Peer NBMA Address: 192.169.2.10
Tunnel IPv6 Address: 2001::4
IPv6 Target Network: 2001::4/128
# Ent: 2, Status: UP, UpDn Time: 00:01:51, Cache Attrib: D
Type:Hub, Total NBMA Peers (v4/v6): 2
2.Peer NBMA Address: 192.169.2.10
Tunnel IPv6 Address: 2001::4
IPv6 Target Network: FE80::2/128
# Ent: 0, Status: UP, UpDn Time: 00:01:51, Cache Attrib: D
Type:Hub, Total NBMA Peers (v4/v6): 2
3.Peer NBMA Address: 192.169.2.11
Tunnel IPv6 Address: 2001::5
IPv6 Target Network: 2001::5/128
# Ent: 2, Status: UP, UpDn Time: 00:26:38, Cache Attrib: D
Type:Hub, Total NBMA Peers (v4/v6): 2
4.Peer NBMA Address: 192.169.2.11
Tunnel IPv6 Address: 2001::5
IPv6 Target Network: FE80::3/128
# Ent: 0, Status: UP, UpDn Time: 00:26:38, Cache Attrib: D
Pending DMVPN Sessions:

Interface: Tunnel1
IKE SA: local 192.169.2.9/500 remote 192.169.2.10/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 192.169.2.10
IPSEC FLOW: permit 47 host 192.169.2.9 host 192.169.2.10
Active SAs: 2, origin: crypto map
Outbound SPI : 0x BB0ED02, transform : esp-aes esp-sha-hmac
Socket State: Open

Interface: Tunnel1
IKE SA: local 192.169.2.9/500 remote 192.169.2.11/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 192.169.2.11
IPSEC FLOW: permit 47 host 192.169.2.9 host 192.169.2.11

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

68
IPv6 over DMVPN
Example: Configuring the Spoke for DMVPN

Active SAs: 2, origin: crypto map

Outbound SPI : 0xB79B277B, transform : esp-aes esp-sha-hmac
Socket State: Open

Example: Configuring the Spoke for DMVPN

Device# configure terminal
Device(config)# crypto ikev2 keyring DMVPN
Device(config)# peer DMVPN
Device(config)# address 0.0.0.0 0.0.0.0
Device(config)# pre-shared-key cisco123
Device(config)# peer DMVPNv6
Device(config)# address ::/0
Device(config)# pre-shared-key cisco123v6
Device(config)# crypto ikev2 profile DMVPN
Device(config)# match identity remote address 0.0.0.0
Device(config)# match identity remote address ::/0
Device(config)# authentication local pre-share
Device(config)# authentication remote pre-share
Device(config)# keyring DMVPN
Device(config)# dpd 30 5 on-demand
Device(config)# crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
Device(config)# mode transport
Device(config)# crypto ipsec profile DMVPN
Device(config)# set transform-set DMVPN
Device(config)# set ikev2-profile DMVPN
Device(config)# interface tunnel 5

Device(config-if)# bandwidth 1000

Device(config-if)# ip address 10.0.0.11 255.255.255.0
Device(config-if)# ip mtu 1400
Device(config-if)# ip nhrp authentication test
Device(config-if)# ip nhrp network-id 100000
Device(config-if)# ip nhrp nhs 10.0.0.1 nbma 2001:DB8:0:FFFF:1::1 multicast
Device(config-if)# vip nhrp shortcut
Device(config-if)# delay 1000
Device(config-if)# ipv6 address 2001:DB8:0:100::B/64
Device(config-if)# ipv6 mtu 1400
Device(config-if)# ipv6 nd ra mtu suppress
Device(config-if)# no ipv6 redirects
Device(config-if)# ipv6 eigrp 1
Device(config-if)# ipv6 nhrp authentication testv6
Device(config-if)# ipv6 nhrp network-id 100006
Device(config-if)# ipv6 nhrp nhs 2001:DB8:0:100::1 nbma 2001:DB8:0:FFFF:1::1 multicast
Device(config-if)# ipv6 nhrp shortcut
Device(config-if)# tunnel source Ethernet0/0
Device(config-if)# tunnel mode gre multipoint ipv6
Device(config-if)# tunnel key 100000
Device(config-if)# end
.
.

The following sample output is from the show dmvpn command, with the ipv6 and detail keywords, for the
spoke:
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

69
IPv6 over DMVPN
Example: Configuring the NHRP Redirect and Shortcut Features on the Hub

Interface Tunnel1 is up/up, Addr. is 10.0.0.1, VRF ""

Tunnel Src./Dest. addr: 192.169.2.10/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "test_profile"

IPv6 NHS: 2001::6 RE

Type:Spoke, Total NBMA Peers (v4/v6): 1
1.Peer NBMA Address: 192.169.2.9
Tunnel IPv6 Address: 2001::6
IPv6 Target Network: 2001::/112
# Ent: 2, Status: NHRP, UpDn Time: never, Cache Attrib: S

IPv6 NHS: 2001::6 RE

Type:Unknown, Total NBMA Peers (v4/v6): 1
2.Peer NBMA Address: 192.169.2.9
Tunnel IPv6 Address: FE80::1
IPv6 Target Network: FE80::1/128
# Ent: 0, Status: UP, UpDn Time: 00:00:24, Cache Attrib: D

Pending DMVPN Sessions:

Interface: Tunnel1
IKE SA: local 192.169.2.10/500 remote 192.169.2.9/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 192.169.2.9
IPSEC FLOW: permit 47 host 192.169.2.10 host 192.169.2.9
Active SAs: 2, origin: crypto map
Outbound SPI : 0x6F75C431, transform : esp-aes esp-sha-hmac
Socket State: Open

Example: Configuring the NHRP Redirect and Shortcut Features on the Hub
Device(config)# interface tunnel 5
Device(config-if)# ipv6 address 2001:DB8:1:1::72/64

Device(config-if)# ipv6 nhrp redirect

Device(config-if)# ipv6 nhrp shortcut

Example: Configuring NHRP on the Hub and Spoke

Hub

Device# show ipv6 nhrp

2001::4/128 via 2001::4

Tunnel1 created 00:02:40, expire 00:00:47
Type: dynamic, Flags: unique registered used
NBMA address: 192.169.2.10
2001::5/128 via 2001::5
Tunnel1 created 00:02:37, expire 00:00:47
Type: dynamic, Flags: unique registered used
NBMA address: 192.169.2.11
FE80::2/128 via 2001::4
Tunnel1 created 00:02:40, expire 00:00:47
Type: dynamic, Flags: unique registered used
NBMA address: 192.169.2.10

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

70
IPv6 over DMVPN
Additional References

FE80::3/128 via 2001::5

Tunnel1 created 00:02:37, expire 00:00:47
Type: dynamic, Flags: unique registered used
NBMA address: 192.169.2.11

Spoke

Device# show ipv6 nhrp

2001::8/128
Tunnel1 created 00:00:13, expire 00:02:51
Type: incomplete, Flags: negative
Cache hits: 2
2001::/112 via 2001::6
Tunnel1 created 00:01:16, never expire
Type: static, Flags: used
NBMA address: 192.169.2.9
FE80::1/128 via FE80::1
Tunnel1 created 00:01:15, expire 00:00:43
Type: dynamic, Flags:
NBMA address: 192.169.2.9

Additional References
Related Documents

IPv6 addressing and connectivity IPv6 Configuration Guide

Dynamic Multipoint VPN Dynamic Multipoint VPN

Configuration Guide

Cisco IOS commands Master Command List, All

Releases

IPv6 commands IPv6 Command Reference

Cisco IOS IPv6 features IPv6 Feature Mapping

Recommended cryptographic algorithms Next Generation Encryption

Standards and RFCs

Standard/RFC Title

RFCs for IPv6 RFcs

IPv6

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

71
IPv6 over DMVPN
Feature Information for IPv6 over DMVPN

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Feature Information for IPv6 over DMVPN

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

72
IPv6 over DMVPN
Feature Information for IPv6 over DMVPN

Table 2: Feature Information for IPv6 over DMVPN

Feature Name Releases Feature Information

IPv6 over DMVPN The DMVPN feature allows users

to better scale large and small IPsec
Virtual Private Networks (VPNs)
by combining generic routing
encapsulation (GRE) tunnels, IP
security (IPsec) encryption, and the
Next Hop Resolution Protocol
(NHRP). In Dynamic Multipoint
Virtual Private Network (DMVPN)
for IPv6, the public network (the
Internet) is a pure IPv4 network,
and the private network (the
intranet) is IPv6 capable.
The following commands were
introduced or modified: clear
dmvpn session, clear ipv6 nhrp,
crypto ipsec profile, debug
dmvpn, debug dmvpn condition,
debug nhrp condition, debug
nhrp error, ipv6 nhrp
authentication, ipv6 nhrp
holdtime, ipv6 nhrp interest, ipv6
nhrp map, ipv6 nhrp map
multicast, ipv6 nhrp map
multicast dynamic, ipv6 nhrp
max-send, ipv6 nhrp network-id,
ipv6 nhrp nhs, ipv6 nhrp record,
ipv6 nhrp redirect, ipv6 nhrp
registration, ipv6 nhrp
responder, ipv6 nhrp server-only,
ipv6 nhrp shortcut, ipv6 nhrp
trigger-svc, ipv6 nhrp use, set pfs,
set security-association lifetime,
set transform-set, show dmvpn,
show ipv6 nhrp, show ipv6 nhrp
multicast, show ipv6 nhrp nhs,
show ipv6 nhrp summary, show
ipv6 nhrp traffic.

IPv6 Transport for DMVPN The IPv6 transport for DMVPN

feature builds IPv6 WAN-side
capability into NHRP tunnels and
the underlying IPsec encryption,
and enables IPv6 to transport
payloads on the Internet.
The IPv6 transport for DMVPN
feature is enabled by default.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

73
IPv6 over DMVPN
Feature Information for IPv6 over DMVPN

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

74
CHAPTER 3
DMVPN Configuration Using FQDN
The DMVPN Configuration Using FQDN feature enables next hop clients (NHCs) to register with the next
hop server (NHS).
This feature allows you to configure a fully qualified domain name (FQDN) for the nonbroadcast multiple
access network (NBMA) address of the hub (NHS) on the spokes (NHCs). The spokes resolve the FQDN to
IP address using the DNS service and get registered with the hub using the newly resolved address. This
allows spokes to dynamically locate the IP address of the hub using FQDN.
With this feature, spokes need not configure the protocol address of the hub. Spokes learn the protocol address
of the hub dynamically from the NHRP registration reply of the hub. According to RFC 2332, the hub to
which the NHRP registration was sent responds with its own protocol address in the NHRP registration reply
and hence the spokes learn the protocol address of the hub from the NHRP registration reply packet.
In Cisco IOS Release 15.1(2)T and earlier releases, in Dynamic Multipoint VPN (DMVPN), NHS NBMA
addresses were configured with either IPv4 or IPv6 addresses. Because NHS was configured to receive a
dynamic NBMA address, it was difficult for NHCs to get the updated NBMA address and register with the
NHS. This limitation is addressed with the DMVPN Configuration Using FQDN feature. This feature allows
NHC to use an FQDN instead of an IP address to configure NBMA and register with the NHS dynamically.
• Finding Feature Information, on page 75
• Prerequisites for DMVPN Configuration Using FQDN, on page 76
• Restrictions for DMVPN Configuration Using FQDN, on page 76
• Information About DMVPN Configuration Using FQDN, on page 76
• How to Configure DMVPN Configuration Using FQDN, on page 77
• Configuration Examples for DMVPN Configuration Using FQDN, on page 82
• Additional References, on page 84
• Feature Information for DMVPN Configuration Using FQDN, on page 85

Finding Feature Information

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

75
DMVPN Configuration Using FQDN
Prerequisites for DMVPN Configuration Using FQDN

Prerequisites for DMVPN Configuration Using FQDN

Cisco IOS Domain Name System (DNS) client must be available on the spoke.

Restrictions for DMVPN Configuration Using FQDN

If the NBMA IP address resolved from the FQDN is not mapped to an NHS configured with the protocol
address, the spoke cannot register with the hub.

Information About DMVPN Configuration Using FQDN

DNS Functionality
A Domain Name System (DNS) client communicates with a DNS server to translate a hostname to an IP
address.
The intermediate DNS server or the DNS client on the route enters the FQDN DNS reply from the DNS server
into the cache for a lifetime. If the DNS client receives another query before the lifetime expires, the DNS
client uses the entry information from the cache. If the cache expires, the DNS client queries the DNS server.
If the NBMA address of the NHS changes frequently, the DNS entry lifetime must be short, otherwise the
spokes may take some time before they start using the new NBMA address for the NHS.

DNS Server Deployment Scenarios

A DNS server can be located either in a hub network or outside a hub and spoke network.
Following are the four DNS server load balancing models:
• Round robin--Each DNS request is assigned an IP address sequentially from the list of IP addresses
configured for an FQDN.
• Weighted round robin--This is similar to round-robin load balancing except that the IP addresses are
assigned weights and nodes, where higher weights can take more load or traffic.
• Geography or network--Geography-based load balancing allows the requests to be directed to the optimal
node that is geographically the nearest or the most efficient to the requester.
• Failover--Failover load balancing sends all requests to a single host until the load balancer determines a
particular node to be no longer available. It then directs traffic to the next node available in the list.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

76
DMVPN Configuration Using FQDN
How to Configure DMVPN Configuration Using FQDN

How to Configure DMVPN Configuration Using FQDN

Configuring a DNS Server on a Spoke
Perform this task to configure a DNS server on a spoke. You must perform this task only if you want to resolve
FQDN using an external DNS server.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip name-server ip-address
4. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 ip name-server ip-address Configures a DNS server on a spoke.

Example:

Router(config)# ip name-server 192.0.2.1

Step 4 exit Exits global configuration mode.

Example:

Router(config)# exit

Configuring a DNS Server

Perform this task to configure a DNS server. You must perform the configuration on a DNS server.

SUMMARY STEPS
1. enable
2. configure terminal

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

77
DMVPN Configuration Using FQDN
Configuring an FQDN with a Protocol Address

3. ip dns server
4. ip host hostname ip-address
5. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 ip dns server Enables a DNS server.

Example:

Router(config)# ip dns server

Step 4 ip host hostname ip-address Maps a FQDN (hostname) with the IP address in the DNS
hostname cache for a DNS view.
Example:
Note Configure the ip host command on a DNS server
Router(config)# ip host host1.example.com 192.0.2.2 if you have configured a DNS server on the
spoke and configure the command on the spoke
if you have not configured a DNS server on the
spoke. See the Configuring a DNS Server on a
Spoke task.

Step 5 exit Exits global configuration mode.

Example:

Router(config)# exit

Configuring an FQDN with a Protocol Address

Perform this task to configure an FQDN with a protocol address. You must know the protocol address of the
NHS while you are configuring the FQDN. This configuration registers spoke to a hub using NBMA.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

78
DMVPN Configuration Using FQDN
Configuring a FQDN Without an NHS Protocol Address

4. ip nhrp nhs nhs-address [nbma {nbma-address | FQDN-string}] [multicast] [priority value] [cluster
number]
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 interface tunnel number Enters interface configuration mode.

Example:

Router(config)# interface tunnel 1

Step 4 ip nhrp nhs nhs-address [nbma {nbma-address | Registers a spoke to a hub.

FQDN-string}] [multicast] [priority value] [cluster
• You can configure the command in the following two
number]
ways:
Example:
• ip nhrp nhs protocol-ipaddress nbma
FQDN-string--Use this command to register
Router(config-if)# ip nhrp nhs 192.0.2.1 nbma
examplehub.example1.com multicast spoke to a hub using the FQDN string.
• ip nhrp nhs protocol-ipaddress nbma
nbma-ipaddress--Use this command to register
spoke to a hub using the NHS NBMA IP address.

Note You can use the ipv6 nhrp nhs

protocol-ipaddress [nbma {nhs-ipaddress |
FQDN-string}] [multicast] [priority value]
[cluster number] command for registering IPv6
address.

Step 5 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:

Router(config-if)# end

Configuring a FQDN Without an NHS Protocol Address

Perform this task to configure an FQDN without an NHS protocol address.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

79
DMVPN Configuration Using FQDN
Configuring a FQDN Without an NHS Protocol Address

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip nhrp nhs dynamic nbma {nbma-address | FQDN-string} [multicast] [priority value] [cluster
value]
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 interface tunnel number Enters interface configuration mode.

Example:

Router(config)# interface tunnel 1

Step 4 ip nhrp nhs dynamic nbma {nbma-address | Registers a spoke to a hub.

FQDN-string} [multicast] [priority value] [cluster value]
• The NHS protocol address is dynamically fetched by
Example: the spoke. You can configure the command in the
following two ways:
Router(config-if)# ip nhrp nhs dynamic nbma
examplehub.example1.com • ip nhrp nhs dynamic nbma FQDN-string--Use
this command to register a spoke to a hub using
the FQDN string.
• ip nhrp nhs dynamic nbma nbma-address--Use
this command to register a spoke to a hub using
the NHS NBMA IP address.

Note You can use the ipv6 nhrp nhs dynamic nbma
{nbma-address | FQDN-string} [multicast]
[priority value] [cluster value] command for
registering IPv6 address.

Step 5 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:

Router(config-if)# end

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

80
DMVPN Configuration Using FQDN
Verifying DMVPN FQDN Configuration

Verifying DMVPN FQDN Configuration

This task shows how to display information to verify DMVPN FQDN configuration. The following show
commands can be entered in any order.

SUMMARY STEPS
1. enable
2. show dmvpn
3. show ip nhrp nhs
4. show running-config interface tunnel tunnel-number
5. show ip nhrp multicast

DETAILED STEPS

Step 1 enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:

Router# enable

Step 2 show dmvpn

Displays DMVPN-specific session information.
Example:

Router# show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel1, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 192.0.2.1 192.0.2.2 UP 00:00:12 S
(h1.cisco.com)

Step 3 show ip nhrp nhs

Displays the status of the NHS.
Example:

Router# show ip nhrp nhs

IPv4 Registration Timer: 10 seconds
Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel1:
192.0.2.1 RE NBMA Address: 192.0.2.2 (h1.cisco.com) priority = 0 cluster = 0

Step 4 show running-config interface tunnel tunnel-number

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

81
DMVPN Configuration Using FQDN
Configuration Examples for DMVPN Configuration Using FQDN

Displays the contents of the current running configuration file or the tunnel interface configuration.
Example:

Router# show running-config interface tunnel 1

Building configuration...
Current configuration : 462 bytes
!
interface Tunnel1
ip address 192.0.2.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication testing
ip nhrp group spoke_group2
ip nhrp network-id 123
ip nhrp holdtime 150
ip nhrp nhs dynamic nbma h1.cisco.com multicast
ip nhrp registration unique
ip nhrp registration timeout 10
ip nhrp shortcut
no ip route-cache cef
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 1001
tunnel protection ipsec profile DMVPN
end

Step 5 show ip nhrp multicast

Displays NHRP multicast mapping information.
Example:

Route# show ip nhrp multicast

I/F NBMA address
Tunnel1 192.0.2.1 Flags: nhs

Configuration Examples for DMVPN Configuration Using FQDN

Example Configuring a Local DNS Server
The following example shows how to configure a local DNS server:

enable
configure terminal
ip host host1.example.com 192.0.2.2

Example Configuring an External DNS Server

The following example shows how to configure an external DNS server:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

82
DMVPN Configuration Using FQDN
Example Configuring NHS with a Protocol Address and an NBMA Address

On a spoke

enable
configure terminal
ip name-server 192.0.2.1

On a DNS Server

enable
configure terminal
ip dns server
ip host host1.example.com 192.0.2.2

Example Configuring NHS with a Protocol Address and an NBMA Address

The following example shows how to configure NHS with a protocol address and an NBMA address:

enable
configure terminal
interface tunnel 1
ip nhrp nhs 192.0.2.1 nbma 209.165.200.225

Example Configuring NHS with a Protocol Address and an FQDN

The following example shows how to configure NHS with a protocol address and an FQDN:

enable
configure terminal
interface tunnel 1
ip nhrp nhs 192.0.2.1 nbma examplehub.example1.com

Example Configuring NHS Without a Protocol Address and with an NBMA

Address
The following example shows how to configure NHS without a protocol address and with an NBMA address:

enable
configure terminal
interface tunnel 1
ip nhrp nhs dynamic nbma 192.0.2.1

Example Configuring NHS Without a Protocol Address and with an FQDN

The following example shows how to configure NHS without a protocol address and with an FQDN:

enable
configure terminal
interface tunnel 1
ip nhrp nhs dynamic nbma examplehub.example1.com

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

83
DMVPN Configuration Using FQDN
Additional References

Additional References
Related Documents

MIB MIBs Link

No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco
feature, and support for existing MIBs has not software releases, and feature sets, use Cisco MIB Locator
been modified by this feature. found at the following URL:
http://www.cisco.com/go/mibs

RFCs

RFC Title

RFC 2332 NBMA Next Hop Resolution Protocol (NHRP)

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

84
DMVPN Configuration Using FQDN
Feature Information for DMVPN Configuration Using FQDN

Feature Information for DMVPN Configuration Using FQDN

Table 3: Feature Information for DMVPN Configuration Using FQDN

Feature Name Releases Feature Information

DMVPN Configuration The DMVPN Configuration Using FQDN feature enables the NHC
Using FQDN to register with the NHS. It uses the NHRP without using the protocol
address of the NHS.
The following commands were introduced or modified: clear dmvpn
session, debug nhrp condition, ip nhrp nhs,and ipv6 nhrp nhs.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

85
DMVPN Configuration Using FQDN
Feature Information for DMVPN Configuration Using FQDN

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

86
CHAPTER 4
Per-Tunnel QoS for DMVPN
The Per-Tunnel QoS for DMVPN feature introduces per-tunnel QoS support for DMVPN and increases
per-tunnel QoS performance for IPsec tunnel interfaces.

• Finding Feature Information, on page 87

• Prerequisites for Per-Tunnel QoS for DMVPN, on page 87
• Restrictions for Per-Tunnel QoS for DMVPN, on page 88
• Information About Per-Tunnel QoS for DMVPN, on page 88
• How to Configure Per-Tunnel QoS for DMVPN, on page 90
• Configuration Examples for Per-Tunnel QoS for DMVPN, on page 94
• Additional References for Per-Tunnel QoS for DMVPN, on page 102
• Feature Information for Per-Tunnel QoS for DMVPN, on page 102

Finding Feature Information

Prerequisites for Per-Tunnel QoS for DMVPN

• Before you configure the Per-Tunnel QoS for DMVPN feature, you must configure Cisco Express
Forwarding switching.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

87
Per-Tunnel QoS for DMVPN
Restrictions for Per-Tunnel QoS for DMVPN

• Before you can configure an Next Hop Resolution Protocol (NHRP) group on a spoke and map the NHRP
group to a QoS policy on a hub, the spoke and the hub must already be configured for DMVPN without
the per-tunnel QoS.

Restrictions for Per-Tunnel QoS for DMVPN

Information About Per-Tunnel QoS for DMVPN

Per-Tunnel QoS for DMVPN Overview
The Per-Tunnel QoS for DMVPN feature lets you apply a quality of service (QoS) policy on a Dynamic
Multipoint VPN (DMVPN) hub on a per-tunnel instance (per-spoke basis) in the egress direction for DMVPN
hub-to-spoke tunnels. The QoS policy on a DMVPN hub on a per-tunnel instance lets you shape tunnel traffic
to individual spokes (a parent policy) and differentiate individual data flows going through the tunnel for
policing (a child policy). The QoS policy that the hub uses for a specific spoke is selected according to the
specific Next Hop Resolution Protocol (NHRP) group into which that spoke is configured. Although you can
configure many spokes into the same NHRP group, the tunnel traffic for each spoke is measured individually
for shaping and policing.
You can use this feature with DMVPN with or without Internet Protocol Security (IPsec).
When the Per-Tunnel QoS for DMVPN feature is enabled, queuing and shaping are performed at the outbound
physical interface for generic routing encapsulation (GRE)/IPsec tunnel packets. The Per-Tunnel QoS for
DMVPN feature ensures that the GRE header, the IPsec header, and the Layer 2 (for the physical interface)
header are included in the packet-size calculations for shaping and bandwidth queuing of packets under QoS.

Benefits of Per-Tunnel QoS for DMVPN

Before the introduction of Per-Tunnel QoS for DMVPN feature, quality of service (QoS) on a Dynamic
Multipoint VPN (DMVPN) hub could be configured to measure only either the outbound traffic in the aggregate
(overall spokes) or outbound traffic on a per-spoke basis (with extensive manual configuration).
The Per-Tunnel QoS for DMVPN feature provides the following benefits:
• The QoS policy is attached to the DMVPN hub, and the criteria for matching the tunnel traffic are set
up automatically as each spoke registers with the hub (which means that extensive manual configuration
is not needed).
• Traffic can be regulated from the hub to spokes on a per-spoke basis.
• The hub cannot send excessive traffic to (and overrun) a small spoke.
• The amount of outbound hub bandwidth that a “greedy” spoke can consume can be limited; therefore,
the traffic cannot monopolize a hub’s resources and starve other spokes.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

88
Per-Tunnel QoS for DMVPN
NHRP QoS Provisioning for DMVPN

NHRP QoS Provisioning for DMVPN

Next Hop Resolution Protocol (NHRP) performs the provisioning for the Per-Tunnel QoS for DMVPN feature
by using NHRP groups.
An NHRP group, a new functionality introduced by this feature, is the group identity information signaled
by a Dynamic Multipoint VPN (DMVPN) node (a spoke) to the DMVPN hub. The hub uses this information
to select a locally defined quality of service (QoS) policy instance for the remote node.
You can configure an NHRP group on the spoke router on the DMVPN generic routing encapsulation (GRE)
tunnel interface. The NHRP group name is communicated to the hub in each of the periodic NHRP registration
requests sent from the spoke to the hub.
NHRP group-to-QoS policy mappings are configured on the hub DMVPN GRE tunnel interface. The NHRP
group string received from a spoke is mapped to a QoS policy, which is applied to that hub-to-spoke tunnel
in the egress direction.
After an NHRP group is configured on a spoke, the group is not immediately sent to the hub, but is sent in
the next periodic registration request. The spoke can belong to only one NHRP group per GRE tunnel interface.
If a spoke is configured as part of two or more DMVPN networks (multiple GRE tunnel interfaces), then the
spoke can have a different NHRP group name on each of the GRE tunnel interfaces.
If an NHRP group is not received from the spoke, then a QoS policy is not applied to the spoke, and any
existing QoS policy applied to that spoke is removed. If an NHRP group is received from the spoke when
previous NHRP registrations did not have an NHRP group, then the corresponding QoS policy is applied. If
the same NHRP group is received from a spoke similar to the earlier NHRP registration request, then no action
is taken because a QoS policy would have already been applied for that spoke. If a different NHRP group is
received from the spoke than what was received in the previous NHRP registration request, any applied QoS
policy is removed, and the QoS policy corresponding to the new NHRP group is applied.

Per-Tunnel QoS for Spoke to Spoke Connections

The QoS: Spoke to Spoke per tunnel QoS for DMVPN feature enables a DMVPN client to establish a direct
crypto tunnel with another DMVPN client leveraging the per-tunnel QoS policy, using Next Hop Resolution
Protocol (NHRP) to build spoke-to-spoke connections.
This feature enhances the Adaptive QoS over DMVPN feature, which ensures effective bandwidth management
using dynamic shapers based on available bandwidth.
A spoke-to-spoke connection is established when a group identity information, configured on the spokes using
the nhrp attribute group command, is exchanged between the spokes through the NHRP Vendor Private
Extension (VPE). The NHRP Vendor Private Extensions, encapsulated in NHRP control packets—NHRP
resolution request and reply packets.
Assume a network with two spokes—Spoke A and Spoke B, connected to hub. If Spoke A is configured with
the nhrp attribute group command and traffic exists between the Spoke A and Spoke B, a resolution request
from the Spoke A carries the group identity information as part of Vendor Private Extension (VPE). On
receiving the resolution request, Spoke B extracts the VPE header and checks the extension types received
as part of the resolution request packet. If the VPE extension has group type, the NHRP VPE parser extracts
the group information and checka if a matching map is present. If a matching map is present, QoS applies the
policy on the target interface.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

89
Per-Tunnel QoS for DMVPN
How to Configure Per-Tunnel QoS for DMVPN

How to Configure Per-Tunnel QoS for DMVPN

To configure the Per-Tunnel QoS for DMVPN feature, you define a Next Hop Resolution Protocol (NHRP)
group on the spokes and then map the NHRP group to a quality of service (QoS) policy on the hub.

Configuring an NHRP Group on a Spoke

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. nhrp group group-name
5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 interface tunnel number Configures a tunnel interface and enters interface
configuration mode.
Example:
Device(config)# interface tunnel 1

Step 4 nhrp group group-name Configures a Next Hop Resolution Protocol (NHRP) group
on the spoke.
Example:
Device(config-if)# nhrp group spoke_group1

Step 5 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:
Device(config-if)# end

Configuring an NHRP Group Attribute on a Spoke

SUMMARY STEPS
1. enable
2. configure terminal

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

90
Per-Tunnel QoS for DMVPN
Mapping an NHRP Group to a QoS Policy on the Hub

3. interface tunnel number

4. nhrp attribute group group-name
5. nhrp map group group-name service-policy output qos-policy-map-name
6. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 interface tunnel number Configures a tunnel interface and enters interface
configuration mode.
Example:
Device(config)# interface tunnel 1

Step 4 nhrp attribute group group-name Configures the QoS group identity information on the spoke.
Example:
Device(config-if)# nhrp attribute group spoke1

Step 5 nhrp map group group-name service-policy output Adds the Next Hop Resolution Protocol (NHRP) group to
qos-policy-map-name the quality of service (QoS) policy mapping.
Example:
Device(config-if)# nhrp map group spoke_group1
service-policy output group1_parent

Step 6 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:
Device(config-if)# end

Mapping an NHRP Group to a QoS Policy on the Hub

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. nhrp map group group-name service-policy output qos-policy-map-name
5. end

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

91
Per-Tunnel QoS for DMVPN
Enabling DMVPN Per-tunnel QoS Sourced from Port Channel

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Device# configure terminal

Step 3 interface tunnel number Configures a tunnel interface and enters interface
configuration mode.
Example:

Device(config)# interface tunnel 1

Step 4 nhrp map group group-name service-policy output Adds the Next Hop Resolution Protocol (NHRP) group to
qos-policy-map-name the quality of service (QoS) policy mapping on the hub.
Example:
Device(config-if)# nhrp map group spoke_group1
service-policy output group1_parent

Step 5 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:

Device(config-if)# end

Enabling DMVPN Per-tunnel QoS Sourced from Port Channel

To enable the feature, you must configure the command platform qos port-channel-aggregate <port-channel
number> before configuring port channel.
The platform qos port-channel-aggregate <port-channel number> is required for this feature. The order of
the configuration steps are important to enable DMVPN Per-tunnel QoS Sourced from Port-Channel feature.
The platform qos port-channel-aggregate <port-channel number> command must be configured first. Then,
the port-channel interface must be created. Lastly, channel-group x command must be applied to member
ports.
Both port-channel main-interface and sub-interface are supported in aggregate mode.

Note Before configuring the command, you must remove the 'port channel interface' and ‘channel-group’
configuration from physical interface.

1. Enable the command platform qos port-channel-aggregate <port-channel number> before configuring
port channel.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

92
Per-Tunnel QoS for DMVPN
Verifying Per-Tunnel QoS for DMVPN

2. Configure per-tunnel QoS.

3. Reset the NHRP registration process to ensure the spokes register now that the new configuration is present
on the hub BR. Use the command show dmvpn detail to display the NHRP group for each spoke.

Verifying Per-Tunnel QoS for DMVPN

SUMMARY STEPS
1. enable
2. show dmvpn detail
3. show nhrp
4. show nhrp group [group-name]
5. show nhrp group-map [group-name]
6. show policy-map multipoint [tunnel tunnel-interface-number]
7. show tunnel endpoints

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable

Step 2 show dmvpn detail Displays detailed Dynamic Multipoint VPN (DMVPN)
information for each session, including the Next Hop Server
Example:
(NHS) and NHS status, crypto session information, and
Device# show dmvpn detail socket details.
• The output includes the Next Hop Resolution Protocol
(NHRP) group received from the spoke and the quality
of service (QoS) policy applied to the spoke tunnel.

Step 3 show nhrp Displays the NHRP cache and the NHRP group received
from the spoke.
Example:

Device# show nhrp

Step 4 show nhrp group [group-name] Displays NHRP group mapping.

Example: • The output includes the associated QoS policy name
Device# show nhrp group and the list of tunnel endpoints using the QoS policy.

Step 5 show nhrp group-map [group-name] Displays the group-to-policy maps configured on the hub
and also displays the tunnels on which the QoS policy is
Example:
applied.
Device# show nhrp group-map group1-parent

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

93
Per-Tunnel QoS for DMVPN
Configuration Examples for Per-Tunnel QoS for DMVPN

Command or Action Purpose

Step 6 show policy-map multipoint [tunnel Displays QoS policy details applied to multipoint tunnels.
tunnel-interface-number]
Example:

Device# show policy-map multipoint tunnel 1

Step 7 show tunnel endpoints Displays information about the source and destination
endpoints for multipoint tunnels and the QoS policy applied
Example:
on the spoke tunnel.
Device# show tunnel endpoints

Configuration Examples for Per-Tunnel QoS for DMVPN

Example: Configuring an NHRP Group on a Spoke
The following example shows how to configure two Next Hop Resolution Protocol (NHRP) groups on three
spokes:

Configuring the First Spoke

interface tunnel 1
ip address 209.165.200.225 255.255.255.224
no ip redirects
ip mtu 1400
ip nhrp authentication testing
nhrp group spoke_group1
ip nhrp map 209.165.200.226 203.0.113.1
ip nhrp map multicast 203.0.113.1
ip nhrp network-id 172176366
ip nhrp holdtime 300
ip tcp adjust-mss 1360
ip nhrp nhs 209.165.200.226
tunnel source fastethernet 2/1/1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface fastethernet 2/1/1
ip address 203.0.113.2 255.255.255.0

Configuring the Second Spoke

interface tunnel 1
ip address 209.165.200.227 255.255.255.224
no ip redirects
ip mtu 1400
ip nhrp authentication testing
nhrp group spoke_group1
ip nhrp map 209.165.200.226 203.0.113.1
ip nhrp map multicast 203.0.113.1
ip nhrp network-id 172176366
ip nhrp holdtime 300

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

94
Per-Tunnel QoS for DMVPN
Example: Configuring an NHRP Group Attribute on a Spoke

ip tcp adjust-mss 1360

ip nhrp nhs 209.165.200.226
tunnel source fastethernet 2/1/1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface fastethernet 2/1/1
ip address 203.0.113.3 255.255.255.0

Configuring the Third Spoke

interface tunnel 1
ip address 209.165.200.228 255.255.255.224
no ip redirects
ip mtu 1400
ip nhrp authentication testing
nhrp group spoke_group2
ip nhrp map 209.165.200.226 203.0.113.1
ip nhrp map multicast 203.0.113.1
ip nhrp network-id 172176366
ip nhrp holdtime 300
ip tcp adjust-mss 1360
ip nhrp nhs 209.165.200.226
tunnel source fastethernet 2/1/1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface fastethernet 2/1/1
ip address 203.0.113.4 255.255.255.0

Example: Configuring an NHRP Group Attribute on a Spoke

The following example shows how to configure two Next Hop Resolution Protocol (NHRP) groups
attributes on two spokes:

Configuring the First Spoke

class-map match-any class2
match ip precedence 5
end
!
policy-map p2
class class2
priority percent 60
end
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication h1there
ip nhrp attribute group1
ip nhrp map group group1 service-policy output p2
ip nhrp map multicast 172.17.0.1
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp network-id 253
ip nhrp nhs 10.0.0.1
ip nhrp registration timeout 600
ip nhrp cache non-authoritative
no ip mroute-cache
tunnel source 172.17.0.2
tunnel mode gre multipoint

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

95
Per-Tunnel QoS for DMVPN
Example: Mapping an NHRP Group to a QoS Policy on the Hub

tunnel key 253

tunnel protection ipsec profile dmvpn-profile
end

Configuring the Second Spoke

class-map match-any class1
match ip precedence 5

policy-map policy p1
class class1
priority 70

interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication h1there
ip nhrp attribute group1
ip nhrp map group group1 service-policy output p1
ip nhrp map multicast 172.17.0.2
ip nhrp map 10.0.0.2 172.17.0.2
ip nhrp network-id 253
ip nhrp nhs 10.0.0.2
ip nhrp registration timeout 600
ip nhrp cache non-authoritative
no ip mroute-cache
tunnel source 172.17.0.1
tunnel mode gre multipoint
tunnel key 253
tunnel protection ipsec profile dmvpn-profile
end

Example: Mapping an NHRP Group to a QoS Policy on the Hub

The following example shows how to map Next Hop Resolution Protocol (NHRP) groups to a quality of
service (QoS) policy on the hub. The example shows a hierarchical QoS policy (parent:
group1_parent/group2_parent; child: group1/group2) that will be used for configuring Per-tunnel QoS for
Dynamic Multipoint VPN (DMVPN) feature. The example also shows how to map the NHRP group
spoke_group1 to the QoS policy group1_parent and map the NHRP group spoke_group2 to the QoS policy
group2_parent on the hub:

class-map match-all group1_Routing

match ip precedence 6
class-map match-all group2_Routing
match ip precedence 6
class-map match-all group2_voice
match access-group 100
class-map match-all group1_voice
match access-group 100
policy-map group1
class group1_voice
priority 1000
class group1_Routing
bandwidth percent 20
policy-map group1_parent
class class-default
shape average 3000000
service-policy group1

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

96
Per-Tunnel QoS for DMVPN
Example: Enabling DMVPN Per-tunnel QoS Sourced from Port Channel

policy-map group2
class group2_voice
priority percent 20
class group2_Routing
bandwidth percent 10
policy-map group2_parent
class class-default
shape average 2000000
service-policy group2
interface tunnel 1
ip address 209.165.200.225 255.255.255.224
no ip redirects
ip mtu 1400
ip nhrp authentication testing
ip nhrp map multicast dynamic
ip nhrp map group spoke_group1 service-policy output group1_parent
ip nhrp map group spoke_group2 service-policy output group2_parent
ip nhrp network-id 172176366
ip nhrp holdtime 300
ip nhrp registration unique
tunnel source fastethernet 2/1/1
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface fastethernet 2/1/1
ip address 209.165.200.226 255.255.255.224

Example: Enabling DMVPN Per-tunnel QoS Sourced from Port Channel

The following example shows how to enable DMVPN Per-tunnel QoS Sourced from Port Channel.
Example: Configuring on hub
platform qos port-channel-aggregate 1
!
class-map match-any class2
match ip precedence 5
!
policy-map p1
class class2
priority percent 60
!
interface Port-channel1
ip address 203.0.113.1 255.255.255.0
!
interface GigabitEthernet0/0/0
channel-group 1
!
interface GigabitEthernet0/0/1
channel-group 1
!
interface Tunnel1
ip address 10.9.9.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco
nhrp map group group1 service-policy output p1
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source Port-channel 1
tunnel mode gre multipoint

Example: Configuring on spoke

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

97
Per-Tunnel QoS for DMVPN
Example: Verifying Per-Tunnel QoS for DMVPN

Example: Verifying Per-Tunnel QoS for DMVPN

The following example shows how to display the information about Next Hop Resolution Protocol (NHRP)
groups received from the spokes and display the quality of service (QoS) policy that is applied to each spoke
tunnel. You can enter this command on the hub.

Device# show dmvpn detail

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel1 is up/up, Addr. is 209.165.200.225, VRF ""
Tunnel Src./Dest. addr: 209.165.200.226/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN"
Type:Hub, Total NBMA Peers (v4/v6): 3
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 209.165.200.227 192.0.2.2 UP 00:19:20 D 192.0.2.2/32
NHRP group: spoke_group1
Output QoS service-policy applied: group1_parent
1 209.165.200.228 192.0.2.3 UP 00:19:20 D 192.0.2.3/32
NHRP group: spoke_group1
Output QoS service-policy applied: group1_parent
1 209.165.200.229 192.0.2.4 UP 00:19:23 D 192.0.2.4/32
NHRP group: spoke_group2
Output QoS service-policy applied: group2_parent
Crypto Session Details:
-----------------------------------------------------------------------------
Interface: tunnel1
Session: [0x04AC1D00]
IKE SA: local 209.165.200.226/500 remote 209.165.200.227/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 209.165.200.227
IPSEC FLOW: permit 47 host 209.165.200.226 host 209.165.200.227
Active SAs: 2, origin: crypto map

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

98
Per-Tunnel QoS for DMVPN
Example: Verifying Per-Tunnel QoS for DMVPN

Outbound SPI : 0x9B264329, transform : ah-sha-hmac

Socket State: Open
Interface: tunnel1
Session: [0x04AC1C08]
IKE SA: local 209.165.200.226/500 remote 209.165.200.228/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 209.165.200.228
IPSEC FLOW: permit 47 host 209.165.200.226 host 209.165.200.228
Active SAs: 2, origin: crypto map
Outbound SPI : 0x36FD56E2, transform : ah-sha-hmac
Socket State: Open
Interface: tunnel1
Session: [0x04AC1B10]
IKE SA: local 209.165.200.226/500 remote 209.165.200.229/500 Active
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 209.165.200.229
IPSEC FLOW: permit 47 host 209.165.200.226 host 209.165.200.229
Active SAs: 2, origin: crypto map
Outbound SPI : 0xAC96818F, transform : ah-sha-hmac
Socket State: Open
Pending DMVPN Sessions:

The following example shows how to display information about the NHRP groups that are received from the
spokes. You can enter this command on the hub.

Device# show ip nhrp

192.0.2.240/32 via 192.0.2.240

Tunnel1 created 00:22:49, expire 00:01:40
Type: dynamic, Flags: registered
NBMA address: 209.165.200.227
Group: spoke_group1
192.0.2.241/32 via 192.0.2.241
Tunnel1 created 00:22:48, expire 00:01:41
Type: dynamic, Flags: registered
NBMA address: 209.165.200.228
Group: spoke_group1
192.0.2.242/32 via 192.0.2.242
Tunnel1 created 00:22:52, expire 00:03:27
Type: dynamic, Flags: registered
NBMA address: 209.165.200.229
Group: spoke_group2

The following example shows how to display the details of NHRP group mappings on a hub and the list of
tunnels using each of the NHRP groups defined in the mappings. You can enter this command on the hub.

Device# show nhrp group-map

Interface: tunnel1
NHRP group: spoke_group1
QoS policy: group1_parent
Tunnels using the QoS policy:
Tunnel destination overlay/transport address
198.51.100.220/203.0.113.240
198.51.100.221/203.0.113.241
NHRP group: spoke_group2
QoS policy: group2_parent
Tunnels using the QoS policy:
Tunnel destination overlay/transport address
198.51.100.222/203.0.113.242

The following example shows how to display statistics about a specific QoS policy as it is applied to a tunnel
endpoint. You can enter this command on the hub.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

99
Per-Tunnel QoS for DMVPN
Example: Verifying Per-Tunnel QoS for DMVPN

Device# show policy-map multipoint

Interface tunnel1 <--> 203.0.113.252

Service-policy output: group1_parent
Class-map: class-default (match-any)
29 packets, 4988 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 750 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 3000000, bc 12000, be 12000
target shape rate 3000000
Service-policy : group1
queue stats for all priority classes:
queue limit 250 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: group1_voice (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 100
Priority: 1000 kbps, burst bytes 25000, b/w exceed drops: 0
Class-map: group1_Routing (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip precedence 6
Queueing
queue limit 150 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 20% (600 kbps)
Class-map: class-default (match-any)
29 packets, 4988 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
queue limit 350 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Interface tunnel1 <--> 203.0.113.253
Service-policy output: group1_parent
Class-map: class-default (match-any)
29 packets, 4988 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 750 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 3000000, bc 12000, be 12000
target shape rate 3000000
Service-policy : group1
queue stats for all priority classes:
queue limit 250 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: group1_voice (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 100
Priority: 1000 kbps, burst bytes 25000, b/w exceed drops: 0
Class-map: group1_Routing (match-all)

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

100
Per-Tunnel QoS for DMVPN
Example: Verifying Per-Tunnel QoS for DMVPN

0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip precedence 6
Queueing
queue limit 150 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 20% (600 kbps)
Class-map: class-default (match-any)
29 packets, 4988 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
queue limit 350 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Interface tunnel1 <--> 203.0.113.254
Service-policy output: group2_parent
Class-map: class-default (match-any)
14 packets, 2408 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 500 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
shape (average) cir 2000000, bc 8000, be 8000
target shape rate 2000000
Service-policy : group2
queue stats for all priority classes:
queue limit 100 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: group2_voice (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group 100
Priority: 20% (400 kbps), burst bytes 10000, b/w exceed drops: 0
Class-map: group2_Routing (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip precedence 6
Queueing
queue limit 50 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 10% (200 kbps)
Class-map: class-default (match-any)
14 packets, 2408 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
queue limit 350 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

101
Per-Tunnel QoS for DMVPN
Additional References for Per-Tunnel QoS for DMVPN

Additional References for Per-Tunnel QoS for DMVPN

Security commands • Cisco IOS Security Command Reference Commands A to

C
• Cisco IOS Security Command Reference Commands D to
L
• Cisco IOS Security Command Reference Commands M to
R
• Cisco IOS Security Command Reference Commands S to
Z

IP NHRP commands Cisco IOS IP Addressing Services Command Reference

Configuring Basic Cisco Express IP Switching Cisco Express Forwarding Configuration Guide
Forwarding

Configuring NHRP IP Addressing: NHRP Configuration Guide

Recommended cryptographic algorithms Next Generation Encryption

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Feature Information for Per-Tunnel QoS for DMVPN

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

102
Per-Tunnel QoS for DMVPN
Feature Information for Per-Tunnel QoS for DMVPN

Table 4: Feature Information for Per-Tunnel QoS for DMVPN

Feature Name Releases Feature Information

Per-Tunnel QoS 15.4(1)T / The Per-Tunnel QoS for DMVPN feature introduces per-tunnel QoS
3.11S support for DMVPN and increases per-tunnel QoS performance for
IPsec tunnel interfaces.
In , this feature was enhanced to provide support for IPv6 addresses.
The following commands were introduced or modified: ip nhrp map,
nhrp group, nhrp map group, show dmvpn, show ip nhrp, show
ip nhrp group-map, show nhrp group-map, show policy-map
multipoint tunnel.
The commands ip nhrp group and ip nhrp map group were
depreciated and hidden in the CLI. They are replaced with protocol
agnostic nhrp group and nhrp map group. The configuration needs
to be manually migrated to the new syntax.

16.6.5, 16.8.1 The commands ip nhrp group and ip nhrp map group are removed
from CLI. Manual migration before or after upgrade is required.

QoS: Spoke to Spoke The QoS: Spoke to Spoke per tunnel QoS for DMVPN feature enables
Per-tunnel QoS for a DMVPN client to establish a direct crypto tunnel with another
DMVPN DMVPN client leveraging the per-tunnel QoS policy, using Next Hop
Resolution Protocol (NHRP) to build spoke-to-spoke connections.
The following commands were introduced or modified: nhrp
attribute group, show dmvpn, show ip nhrp.
Note The command show ip nhrp group is deprecated and is
not in use.

QoS: DMVPN Cisco IOS XE The QoS: DMVPN Per-tunnel QoS over Aggregate GEC feature is
Per-tunnel QoS over Everest 16.4.1 supported.
Aggregate GEC

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

103
Per-Tunnel QoS for DMVPN
Feature Information for Per-Tunnel QoS for DMVPN

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

104
CHAPTER 5
DMVPN Tunnel Health Monitoring and Recovery
The Dynamic Multipoint VPN Tunnel Health Monitoring and Recovery feature enhances the ability of the
system to monitor and report Dynamic Multipoint VPN (DMVPN) events. It includes support for Simple
Network Management Protocol (SNMP) Next Hop Resolution Protocol (NHRP) notifications for critical
DMVPN events and support for DMVPN syslog messages. It also enables the system to control the state of
the tunnel interface based on the health of the DMVPN tunnels.
• Finding Feature Information, on page 105
• Prerequisites for DMVPN Tunnel Health Monitoring and Recovery, on page 105
• Restrictions for DMVPN Tunnel Health Monitoring and Recovery, on page 106
• Information About DMVPN Tunnel Health Monitoring and Recovery, on page 106
• How to Configure DMVPN Tunnel Health Monitoring and Recovery, on page 109
• Configuration Examples for DMVPN Tunnel Health Monitoring and Recovery, on page 111
• Additional References for DMVPN Tunnel Health Monitoring and Recovery, on page 112
• Feature Information for DMVPN Tunnel Health Monitoring and Recovery, on page 113

Finding Feature Information

Prerequisites for DMVPN Tunnel Health Monitoring and

Recovery
SNMP NHRP notifications
• SNMP is enabled in the system.
• Generic SNMP configurations for Get and Set operations and for notifications are implemented in the
system.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

105
DMVPN Tunnel Health Monitoring and Recovery
Restrictions for DMVPN Tunnel Health Monitoring and Recovery

• All relevant NHRP traps are enabled.

RestrictionsforDMVPNTunnelHealthMonitoringandRecovery
MIB SNMP
• SNMP SET UNDO is not supported.
• The MIB Persistence feature that enables the MIB-SNMP data to persist across reloads is not supported.
However, a virtual persistence for the MIB notification control object happens, because that information
is also captured via the configuration command line interface (CLI).
• Notifications and syslogs are not virtual routing and forwarding (VRF)-aware.
• The Rate Limit Exceeded notification does not differentiate between the IPv4 or IPv6 protocol type.

Interface State Control

• Interface state control can be configured on leaf spoke nodes only.
• Interface state control supports IPv4 only.

Information About DMVPN Tunnel Health Monitoring and

Recovery
NHRP Extension MIB
The NHRP Extension MIB module comprises objects that maintain redirect-related statistics for both clients
and servers, and for the following SNMP notifications for critical DMVPN events:
• A spoke perceives that a hub has gone down. This can occur even if the spoke was not previously registered
with the hub.
• A spoke successfully registers with a hub.
• A hub perceives that a spoke has gone down.
• A hub perceives that a spoke has come up.
• A spoke or hub perceives that another NHRP peer, not related by an NHRP registration, has gone down.
For example, a spoke-spoke tunnel goes down.
• A spoke or hub perceives that another NHRP peer, not related by an NHRP registration, has come up.
For example, a spoke-spoke tunnel comes up.
• The rate limit set for NHRP packets on the interface is exceeded.

The agent implementation of the MIB provides a means to enable and disable specific traps, from either the
network management system or the CLI.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

106
DMVPN Tunnel Health Monitoring and Recovery
DMVPN Syslog Messages

DMVPN Syslog Messages

The DMVPN syslog feature provides syslog messages for the following events:
• All next-hop state change events. For example, when the system declares that a Next Hop Server (NHS),
Next Hop Client (NHC), or a Next Hop Peer (NHP) is up or down. The severity level for these messages
is set to critical.
• NHRP resolution events. For example, when a spoke sends a resolution to a remote spoke, or when an
NHRP resolution times out without receiving a response. The severity level for these messages is set to
informational.
• DMVPN cryptography events. For example, when a DMVPN socket entry changes from open to closed,
or from closed to open. The severity level for these messages is set to notification.
• NHRP error notifications. For example, when an NHRP registration or resolution event fails, when a
system check event fails, or when an NHRP encapsulation error occurs, an NHRP error notification is
displayed. The severity level for these messages is set to errors.
A sample NHRP error message is given below:
Received Error Indication from 209.165.200.226, code: administratively prohibited(4), (trigger src:
209.165.200.228 (nbma: 209.165.200.230) dst: 209.165.202.140), offset: 0, data: 00 01 08 00 00 00 00
00 00 FE 00 68 F4 03 00 34
The error message includes the IP address of the node where the error originates, the source nonbroadcast
multiaccess (NBMA), and the destination address.
• DMVPN error notifications. For example, when the NET_ID value is not configured, or when an NHRP
multicast replication failure occurs. The severity level is set to notification for the unconfigured NET_ID
value message, and set to errors if an NHRP multicast replication failure occurs.
• The rate limit set for NHRP packets on the interface is exceeded. This event occurs when the NHRP
packets handled by the NHRP process exceeds the rate limit set on the interface. The severity level for
this message is set to warning.

Interface State Control

The Interface State Control feature allows NHRP to control the state of the interface based on whether the
tunnels on the interface are live. If NHRP detects that all NHSs configured on the interface are in the down
state, NHRP can change the interface state to down. However, if NHRP detects that any one of the NHSs
configured on the interface is up, then it can change the state of the interface to up.
When the NHRP changes the interface state, other Cisco services can react to the state change, for example:
• If the interface state changes, the generic routing and encapsulation (GRE) interface generates IF-MIB
notifications (traps) that report a LinkUp or LinkDown message. The system uses these traps to monitor
the connectivity to the DMVPN cloud.
• If the interface state changes to down, the Cisco IOS backup interface feature can be initiated to allow
the system to use another interface to provide an alternative path to the failed primary path.
• If the interface state changes to down, the system generates an update that is sent to all dynamic routing
protocols. The Interface State Control feature a failover mechanism for dynamic routing when the
multipoint GRE (mGRE) interface is down.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

107
DMVPN Tunnel Health Monitoring and Recovery
Interface State Control Configuration Workflow

• If the interface state changes to down, the system clears any static routes that use the mGRE interface
as the next hop. The Interface State Control feature provides a failover mechanism for routing when the
mGRE interface is down.

The interface state control feature works on both point-to-point and mGRE interfaces.

Interface State Control Configuration Workflow

The diagram below illustrates how the system behaves when the Interface State Control feature is initialized.
Figure 6: Interface State Control Configuration Initialization Workflow

The Interface State Control initialization works as follows:

1. The Interface State Control feature is enabled on the GRE interface with NHRP configured.
2. The system reevaluates the protocol state and changes the state to line up and protocol down if none of
the configured NHSs is responding.
3. The line up state change initiates the NHRP registration process.
4. The NHRP registration process initiates the IPsec tunnel.
5. The IPsec tunnel initiation starts the IPsec and IKE tunnel negotiation process.
6. On successful completion of the tunnel negotiation process, the system sends an IPsec Session Up
message.
7. The NHRP registration process receives the IPsec Session Up message.
8. The NHRP registration process reports the line up and protocol up state to the GRE interface.
9. The GRE interface state changes to line up and protocol up.
10. The system reports the GRE interface state change to Cisco software.
11. The state change triggers Cisco services, such as interface event notifications, syslog events, DHCP
renew, IP route refresh, and SNMP traps.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

108
DMVPN Tunnel Health Monitoring and Recovery
How to Configure DMVPN Tunnel Health Monitoring and Recovery

How to Configure DMVPN Tunnel Health Monitoring and

Recovery
The DMVPN Tunnel Health Monitoring and Recovery feature allows you to configure SNMP NHRP
notifications and interface states.

Configuring Interfaces to Generate SNMP NHRP Notifications

You can configure an interface so that SNMP NHRP traps are generated for NHRP events. In addition, you
can configure the system to send the traps to particular trap receivers. To configure SNMP NHRP notifications
on an interface, perform the steps in this section.

SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server community string rw
4. snmp-server enable traps nhrp nhs
5. snmp-server enable traps nhrp nhc
6. snmp-server enable traps nhrp nhp
7. snmp-server enable traps nhrp quota-exceeded
8. snmp-server host ip-address version snmpversion community-string
9. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Device# configure terminal

Step 3 snmp-server community string rw Configures the community access string to permit access
to the SNMP.
Example:

Device(config)# snmp-server community public rw

Step 4 snmp-server enable traps nhrp nhs Enables NHRP NHS notifications.
Example:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

109
DMVPN Tunnel Health Monitoring and Recovery
Troubleshooting Tips

Command or Action Purpose

Device(config)# snmp-server enable traps nhrp nhc

Step 5 snmp-server enable traps nhrp nhc Enables NHRP NHC notifications.
Example:

Device(config)# snmp-server enable traps nhrp nhc

Step 6 snmp-server enable traps nhrp nhp Enables NHRP NHP notifications.
Example:

Device(config)# snmp-server enable traps nhrp nhc

Step 7 snmp-server enable traps nhrp quota-exceeded Enables notifications for when the rate limit set on the
NHRP packets is exceeded on the interface.
Example:

Device(config)# snmp-server enable traps nhrp

quota-exceeded

Step 8 snmp-server host ip-address version snmpversion Specifies the recipient of an SNMP notification operation.
community-string
• By default, SNMP notifications are sent as traps.
Example:
• All NHRP traps are sent to the notification receiver
Device(config)# snmp-server host 192.40.3.130
with the IP address 192.40.3.130 using the community
version 2c public string public.

Step 9 end Exits the current configuration mode and returns to

privileged EXEC mode.
Example:

Device(config)# end

Troubleshooting Tips
Use the debug snmp mib nhrp command to troubleshoot SNMP NHRP notifications.

Configuring Interface State Control on an Interface

The Interface State Control feature enables the system to control the state of an interface based on whether
the DMVPN tunnels connected to the interface are live or not. To configure interface state control on an
interface, perform the steps in this section.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. if-state nhrp
5. end

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

110
DMVPN Tunnel Health Monitoring and Recovery
Configuration Examples for DMVPN Tunnel Health Monitoring and Recovery

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Device# configure terminal

Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:

Device(config)# interface tunnel 1

Step 4 if-state nhrp Enables NHRP to control the state of the tunnel interface.
Example:

Device(config-if)# if-state nhrp

Step 5 end Exits the current configuration mode and returns to

privileged EXEC mode.
Example:

Device(config-if)# end

Configuration Examples for DMVPN Tunnel Health Monitoring

and Recovery
Example: Configuring SNMP NHRP Notifications
The following example shows how to configure SNMP NHRP notifications on a hub or spoke:

Device(config)# snmp-server community public rw

Device(config)# snmp-server enable traps nhrp nhs
Device(config)# snmp-server enable traps nhrp nhc
Device(config)# snmp-server enable traps nhrp nhp
Device(config)# snmp-server enable traps nhrp quota-exceeded
Device(config)# snmp-server host 209.165.200.226 version 2c public

Example: Configuring Interface State Control

The following example shows how to configure the Interface State Control feature for a spoke:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

111
DMVPN Tunnel Health Monitoring and Recovery
Additional References for DMVPN Tunnel Health Monitoring and Recovery

interface Tunnel 1
ip address 209.165.200.228 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map 209.165.201.2 209.165.201.10
ip nhrp map 209.165.201.3 209.165.201.11
ip nhrp map multicast 209.165.201.10
ip nhrp map multicast 209.165.201.11
ip nhrp network-id 1
ip nhrp holdtime 90
ip nhrp nhs 209.165.201.3
ip nhrp nhs 209.165.201.2
ip nhrp shortcut
if-state nhrp
tunnel source Ethernet0/0
tunnel mode gre multipoint
!
end

Additional References for DMVPN Tunnel Health Monitoring

and Recovery
Related Documents

System messages System Messages Guide

Standards and RFCs

Standard/RFC Title

RFC 2332 NBMA Next Hop Resolution Protocol (NHRP)

RFC 2677 Definitions of Managed Objects for the NBMA Next Hop Resolution Protocol (NHRP)

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

112
DMVPN Tunnel Health Monitoring and Recovery
Feature Information for DMVPN Tunnel Health Monitoring and Recovery

MIBs

MIB MIBs Link

• CISCO-NHRP-EXT-MIB To locate and download MIBs for selected platforms, Cisco IOS releases, and
feature sets, use Cisco MIB Locator found at the following URL:
• NHRP-MIB
http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Feature Information for DMVPN Tunnel Health Monitoring and

Recovery
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 5: Feature Information for Tunnel Health Monitoring and Recovery

Feature Name Releases Feature Information

DMVPN—Tunnel Health The DMVPN—Tunnel Health Monitoring and Recovery

Monitoring and Recovery (Interface (Interface Line Control) feature enables NHRP to control the
Line Control) state of the tunnel interface based on the health of the
DMVPN tunnels.
The following command was introduced: if-state nhrp.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

113
DMVPN Tunnel Health Monitoring and Recovery
Feature Information for DMVPN Tunnel Health Monitoring and Recovery

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

114
CHAPTER 6
DMVPN-Tunnel Health Monitoring and Recovery
Backup NHS
The DMVPN-Tunnel Health Monitoring and Recovery (Backup NHS) feature allows you to control the
number of connections to the Dynamic Multipoint Virtual Private Network (DMVPN) hub and allows you
to switch to alternate hubs in case of a connection failure to the primary hubs.
The recovery mechanism provided by the DMVPN-Tunnel Health Monitoring and Recovery (Backup NHS)
feature allows spokes to recover from a failed spoke-to-hub tunnel path by replacing the tunnel by another
active spoke-to-hub tunnel. Spokes can select the next hop server (NHS) [hub] from a list of NHSs configured
on the spoke. You can configure priority values to the NHSs that control the order in which spokes select the
NHS.
• Finding Feature Information, on page 115
• Information About DMVPN-Tunnel Health Monitoring and Recovery Backup NHS, on page 116
• How to Configure DMVPN-Tunnel Health Monitoring and Recovery Backup NHS, on page 121
• Configuration Examples for DMVPN-Tunnel Health Monitoring and Recovery Backup NHS, on page
125
• Additional References, on page 126
• Feature Information for DMVPN-Tunnel Health Monitoring and Recovery Backup NHS, on page 127

Finding Feature Information

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

115
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
Information About DMVPN-Tunnel Health Monitoring and Recovery Backup NHS

Information About DMVPN-Tunnel Health Monitoring and

Recovery Backup NHS
NHS States
An NHS attains different states while associating with the hubs to from a spoke-to-hub tunnel. The table below
describes different NHS states.

Table 6: NHS States

State Description

DOWN NHS is waiting to get scheduled.

PROBE NHS is declared as “DOWN” but it is still actively probed by the spoke to bring it “UP”.

UP NHS is associated with a spoke to establish a tunnel.

NHS Priorities
NHS priority is a numerical value assigned to a hub that controls the order in which spokes select hubs to
establish a spoke-to-hub tunnel. The priority value ranges from 0 to 255, where 0 is the highest and 255 is the
lowest priority.
You can assign hub priorities in the following ways:
• Unique priorities to all NHS.
• Same priority level to a group of NHS.
• Unspecified priority (value 0) for an NHS, a group of NHSs, or all NHSs.

NHS Clusterless Model

NHS clusterless model is a model where you assign the priority values to the NHSs and do not place the NHSs
into any group. NHS clusterless model groups all NHSs to a default group and maintains redundant connections
based on the maximum NHS connections configured. Maximum NHS connections is the number of NHS
connections in a cluster that must be active at any point in time. The valid range for maximum NHS connections
is from 0 to 255.
Priority values are assigned to the hubs to control the order in which the spokes select hubs to establish the
spoke-to-hub tunnel. However, assigning these priorities in a clusterless model has certain limitations.
The table below provides an example of limitations for assigning priorities in a clusterless model.

Table 7: Limitations of Clusterless Mode

Maximum Number of Connections = 3

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

116
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
NHS Clusters

NHS NHS Priority Scenario 1 Scenario 2

NHS A1 1 UP UP

NHS B1 1 UP PROBE

NHS C1 1 UP UP

NHS A2 2 DOWN UP

NHS B2 2 DOWN DOWN

NHS C2 2 DOWN DOWN

Consider a scenario with three data centers A, B, and C. Each data center consists of two NHSs: NHSs A1
and A2 comprise one data center, NHS B1 and B2 another, and C1 and C3 another.
Although two NHSs are available for each data center, the spoke is connected to only one NHS of each data
center at any point in time. Hence, the maximum connection value is set to 3. That is, three spoke-to-hub
tunnels are established. If any one NHS, for example, NHS B1, becomes inactive, the spoke-to-hub tunnel
associated with NHS B1 goes down. Based on the priority model, NHS A2 has the next priority value and
the next available NHS in the queue, so it forms the spoke-to-hub tunnel and goes up. However, this does not
meet the requirement that a hub from data center B be associated with the spoke to form a tunnel. Hence, no
connection is made to data center B.
This problem can be addressed by placing NHSs into different groups. Each group can be configured with a
group specific maximum connection value. NHSs that are not assigned to any groups belong to the default
group.

NHS Clusters
The table below presents an example of cluster functionality. NHSs corresponding to different data centers
are grouped to form clusters. NHS A1 and NHS A2 with priority 1 and 2, respectively, are grouped as cluster1,
NHS B1 and NHS B2 with prirority 1 and 2, respectively, are grouped as cluster2, and NHS C1 and NHS C2
with prirority 1 and 2, respectively, are grouped as cluster3. NHS 7, NHS 8, and NHS 9 are part of the default
cluster. The maximum cluster value is set to 1 for each cluster so that at least one spoke-to-hub tunnel is
continuously established with all the four clusters.
In scenario 1, NHS A1, NHS B1, and NHS C1 with the highest priority in each cluster are in the UP state. In
scenario 2, the connection between the spoke and NHS A1 breaks, and a connection is established between
the spoke and NHS A2 (hub from the same cluster). NHS A1 with the highest priority attains the PROBE
state. In this way, at any point in time a connection is established to all the three data centers.

Table 8: Cluster Functionality

NHS NHS Priority Cluster Maximum Number of Connections Scenario Scenario

1 2

NHS A1 1 1 1 UP PROBE

NHS A2 2 DOWN UP

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

117
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
NHS Fallback Time

NHS NHS Priority Cluster Maximum Number of Connections Scenario Scenario

1 2

NHS B1 1 2 1 UP UP

NHS B2 2 DOWN DOWN

NHS C1 1 3 1 UP UP

NHS C2 2 DOWN DOWN

NHS 7 1 Default 2 UP DOWN

NHS 8 2 UP UP

NHS 9 0 PROBE UP

NHS Fallback Time

Fallback time is the time that the spoke waits for the NHS to become active before detaching itself from an
NHS with a lower priority and connecting to the NHS with the highest priority to form a spoke-to-hub tunnel.
Fallback time helps in avoiding excessive flaps.
The table below shows how the spoke flaps from one NHS to another excessively when the fallback time is
not configured on the spoke. Five NHSs having different priorities are available to connect to the spoke to
form a spoke-to-hub tunnel. All these NHSs belong to the default cluster. The maximum number of connection
is one.

Table 9: NHS Behavior when Fallback Time is not Configured

NHS NHS Cluster Scenario 1 Scenario 2 Scenario 3 Scenario 4 Scenario 5

Priority

NHS 1 1 Default PROBE PROBE PROBE PROBE UP

NHS 2 2 Default PROBE PROBE PROBE UP DOWN

NHS 3 3 Default PROBE PROBE UP DOWN DOWN

NHS 4 4 Default PROBE UP DOWN DOWN DOWN

NHS 5 5 Default UP DOWN DOWN DOWN DOWN

In scenario 1, NHS 5 with the lowest priority value is connected to the spoke to form a tunnel. All the other
NHSs having higher priorities than NHS 5 are in the PROBE state.
In scenario 2, when NHS 4 becomes active, the spoke breaks connection with the existing tunnel and establishes
a new connection with NHS 4. In scenario 3 and scenario 4, the spoke breaks the existing connections as soon
as an NHS with a higher priority becomes active and establishes a new tunnel. In scenario 5, as the NHS with
the highest priority (NHS 1) becomes active, the spoke connects to it to form a tunnel and continues with it
until the NHS becomes inactive. Because NHS 1 is having the highest priority, no other NHS is in the PROBE
state.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

118
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
NHS Recovery Process

The table below shows how to avoid the excessive flapping by configuring the fallback time. The maximum
number of connection is one. A fallback time period of 30 seconds is configured on the spoke. In scenario 2,
when an NHS with a higher priority than the NHS associated with the spoke becomes active, the spoke does
not break the existing tunnel connection until the fallback time. Hence, although NHS 4 becomes active, it
does not form a tunnel and attain the UP state. NHS 4 remains active but does not form a tunnel untill the
fallback time elapses. Once the fallback time elapses, the spoke connects to the NHS having the highest priority
among the active NHSs.
This way, the flaps that occur as soon as an NHS of higher priority becomes active are avoided.

Table 10: NHS Behavior when Fallback Time is Configured

NHS NHS Cluster Scenario 1 Scenario 2 Scenario 3 Scenario 4 Scenario 5

Priority

NHS 1 1 Default PROBE PROBE PROBE UP-hold UP

NHS 2 2 Default PROBE PROBE UP-hold UP-hold DOWN

NHS 3 3 Default PROBE UP-hold UP-hold UP-hold DOWN

NHS 4 4 Default UP-hold UP-hold UP-hold UP-hold DOWN

NHS 5 5 Default UP UP UP UP DOWN

NHS Recovery Process

NHS recovery is a process of establishing an alternative spoke-to-hub tunnel when the existing tunnel becomes
inactive, and connecting to the preferred hub upon recovery.
The following sections explain NHS recovery:

Alternative Spoke to Hub NHS Tunnel

When a spoke-to-hub tunnel fails it must be backed up with a new spoke-to-hub tunnel. The new NHS is
picked from the same cluster to which the failed hub belonged. This ensures that the required number of
spoke-to-hub tunnels are always present although one or more tunnel paths are unavailable.
The table below presents an example of NHS backup functionality.

Table 11: NHS Backup Functionality

NHS NHS Priority Cluster Maximum Number of Connections Scenario Scenario Scenario
1 2 3

NHS A1 1 1 1 UP PROBE PROBE

NHS A2 2 DOWN UP DOWN

NHS A3 2 DOWN DOWN UP

NHS A4 2 DOWN DOWN DOWN

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

119
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
Returning to Preferred NHS Tunnel upon Recovery

NHS NHS Priority Cluster Maximum Number of Connections Scenario Scenario Scenario
1 2 3

NHS B1 1 3 1 UP PROBE PROBE

NHS B2 2 DOWN UP DOWN

NHS B3 2 DOWN DOWN UP

NHS B4 2 DOWN DOWN DOWN

NHS 9 Default Default 1 UP UP DOWN

NHS 10 DOWN DOWN UP

Four NHSs belonging to cluster 1 and cluster 3 and two NHSs belonging to the default cluster are available
for setting up spoke-to-hub tunnels. All NHSs have different priorities. The maxmum number of connections
is set to 1 for all the three clusters. That is, at any point in time, at least one NHS from each cluster must be
connected to the spoke to form a tunnel.
In scenario 1, NHS A1 from cluster 1, NHS B1 from cluster 3, and NHS 9 from the default cluster are UP.
They establish a contact with the spoke to form different spoke-to-hub tunnels. In scenario 2, NHS A1 and
NHS B1 with the highest priority in their respective clusters become inactive. Hence a tunnel is established
from the spoke to NHS A2 and NHS B2, which have the next highest priority values. However, the spoke
continues to probe NHS A1 and NHS B1 because they have the highest priority. Hence, NHS A1 and NHS
B1 remain in the PROBE state.
In scenario 3, NHS A2, NHS B2, and NHS 9 become inactive. The spoke checks if the NHSs in PROBE state
have turned active. If yes, then the spoke establishes a connection to the NHS that has turned active. However,
as shown in scenario 3, because none of the NHSs in the PROBE state is active, the spoke connects to NHS
A3 of cluster 1 and NHS B3 of cluster 2. NHS A1 and NHS B1 continue to be in the PROBE state until they
associate themselves with the spoke to form a tunnel and attain the UP state.

Returning to Preferred NHS Tunnel upon Recovery

When a spoke-to-hub tunnel fails, a backup tunnel is established using an NHS having the next higher priority
value. Even though the tunnel is established with an NHS of lower priority, the spoke continuously probes
the NHS having the highest priority value. Once the NHS having the highest priority value becomes active,
the spoke establishes a tunnel with the NHS and hence the NHS attains the UP state.
The table below presents NHS recovery functionality. Four NHSs belonging to cluster 1 and cluster 3 and
two NHSs belonging to the default cluster are available for setting up spoke-to-hub tunnels. All NHSes have
different priorities. The maximum connection value is set to 1. In scenario 1, NHS A4, NHS B4, and NHS
10 with the least priority in their respective clusters associate with the spoke in establishing a tunnel. The
spoke continues to probe NHSs of higher prirority to establish a connection with the NHS having the highest
priority value. Hence, in scenario 1, NHSs having the highest priority value in their respective clusters are in
the PROBE state. In scenario 2, NHS A1 is ACTIVE, forms a tunnel with the spoke, and attains the UP state.
Because NHS A1 has the highest priority, the spoke does not probe any other NHS in the cluster. Hence, all
the other NHSs in cluster1 are in the DOWN state.
When the connection with NHS B4 breaks, the spoke connects to NHS B3, which has the next higher priority
value, because NHS B1 of cluster 3 is not active. In scenario 3, NHS A1 continues to be in the UP state and
NHS B1 with the highest priority in cluster 2 becomes active, forms a tunnel, and attains the UP state. Hence,

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

120
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
How to Configure DMVPN-Tunnel Health Monitoring and Recovery Backup NHS

no other NHSs in cluster 2 are in the PROBE state. However, because NHS 10 having the lowest priority
value in the default cluster is in the UP state, the spoke continues to probe NHS 9 having the highest priority
in the cluster.
In scenario 4, NHS A1 and NHS B1 continue to be in the UP state and NHS 9 having the highest priority in
the default cluster attains the UP state. Hence, because the spoke is associated with the NHSs having the
highest priority in all the clusters, none of the NHSs are in the PROBE state.

Table 12: NHS Recovery Functionality

NHS NHS Priority Cluster Maximum Scenario Scenario Scenario Scenario

Number of
1 2 3 4
Connections

NHS A1 1 1 1 PROBE UP UP UP

NHS A2 2 DOWN DOWN DOWN DOWN

NHS A3 2 DOWN DOWN DOWN DOWN

NHS A4 2 UP DOWN DOWN DOWN

NHS B1 1 3 1 PROBE PROBE UP UP

NHS B2 10 PROBE DOWN DOWN DOWN

NHS B3 10 PROBE UP DOWN DOWN

NHS B4 30 UP DOWN DOWN DOWN

NHS 9 Default Default 1 PROBE PROBE PROBE UP

NHS 10 100 UP UP UP DOWN

How to Configure DMVPN-Tunnel Health Monitoring and

Recovery Backup NHS
Configuring the Maximum Number of Connections for an NHS Cluster
Perform this task to configure the desired maximum number of connections for an NHS cluster.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip nhrp nhs cluster cluster-number max-connections value

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

121
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
Configuring NHS Fallback Time

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 interface tunnel number Enters interface configuration mode.

Example:

Router(config)# interface tunnel 1

Step 4 ip nhrp nhs cluster cluster-number max-connections Configures the desired maximum number of connections.
value
Note Use the ipv6 nhrp nhs cluster cluster-number
Example: max-connections value command for IPv6
configuration.
Router(config-if)# ip nhrp nhs cluster 5
max-connections 100

Configuring NHS Fallback Time

Perform this task to configure NHS fallback time.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip nhrp nhs fallback fallback-time

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

122
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
Configuring NHS Priority and Group Values

Command or Action Purpose

Router# configure terminal

Step 3 interface tunnel number Enters interface configuration mode.

Example:

Router(config)# interface tunnel 1

Step 4 ip nhrp nhs fallback fallback-time Configures NHS fallback time.

Example: Note Use the ipv6 nhrp nhs fallback
fallback-timecommand for IPv6 configuration.
Router(config-if)# ip nhrp nhs fallback 25

Configuring NHS Priority and Group Values

Perform this task to configure NHS priority and group values.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip nhrp nhs nhs-address priority nhs-priority cluster cluster-number

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 interface tunnel number Enters interface configuration mode.

Example:

Router(config)# interface tunnel 1

Step 4 ip nhrp nhs nhs-address priority nhs-priority cluster Configures the desired priority and cluster values.
cluster-number
Note Use the ipv6 nhrp nhs nhs-address priority
Example: nhs-priority cluster cluster-number command
for IPv6 configuration.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

123
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
Verifying the DMVPN-Tunnel Health Monitoring and Recovery Backup NHS Feature

Command or Action Purpose

Router(config-if)# ip nhrp nhs 172.0.2.1 priority

1 cluster 2

Verifying the DMVPN-Tunnel Health Monitoring and Recovery Backup NHS

Feature
Perform this task to display information and verify DMVPN-Tunnel Health Monitoring and Recovery (Backup
NHS) feature configuration. You can enter these show commands in any order.

SUMMARY STEPS
1. enable
2. show ip nhrp nhs
3. show ip nhrp nhs redundancy
4. show ipv6 nhrp nhs
5. show ipv6 nhrp nhs redundancy

DETAILED STEPS

Step 1 enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:

Router# enable

Step 2 show ip nhrp nhs

Displays NHRP NHS information.
Example:

Router# show ip nhrp nhs

Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel0:
10.0.0.1 RE priority = 0 cluster = 0

Step 3 show ip nhrp nhs redundancy

Displays NHRP NHS recovery information.
Example:

Router# show ip nhrp nhs redundancy

Legend: E=Expecting replies, R=Responding, W=Waiting
No. Interface Cluster NHS Priority Cur-State Cur-Queue Prev-State Prev-Queue
1 Tunnel0 0 10.0.0.253 3 RE Running E Running
2 Tunnel0 0 10.0.0.252 2 RE Running E Running
3 Tunnel0 0 10.0.0.251 1 RE Running E Running

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

124
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
Configuration Examples for DMVPN-Tunnel Health Monitoring and Recovery Backup NHS

No. Interface Cluster Status Max-Con Total-NHS Responding Expecting Waiting Fallback
1 Tunnel0 0 Enable 3 3 3 0 0 0

Step 4 show ipv6 nhrp nhs

Displays IPv6, specific NHRP NHS information.
Example:

Router# show ipv6 nhrp nhs

Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel0:
2001::101 RE priority = 1 cluster = 5

Step 5 show ipv6 nhrp nhs redundancy

Displays IPv6, specific NHRP NHS recovery information.
Example:

Router# show ipv6 nhrp nhs redundancy

Legend: E=Expecting replies, R=Responding, W=Waiting
No. Interface Cluster NHS Priority Cur-State Cur-Queue Prev-State Prev-Queue
1 Tunnel0 5 2001::101 1 E Running RE Running
No. Interface Cluster Status Max-Con Total-NHS Responding Expecting Waiting Fallback
1 Tunnel0 5 Disable Not Set 1 0 1 0 0

Configuration Examples for DMVPN-Tunnel Health Monitoring

and Recovery Backup NHS
Example Configuring Maximum Connections for an NHS Cluster
The following example shows how to configure a “max-connections” value of 3 for three NHSs that belong
to cluster 0:

interface tunnel 0
bandwidth 1000
ip address 10.0.0.1 255.0.0.0
no ip redirects
ip mtu 1400
ip nhrp authentication test
ip nhrp map multicast 172.0.2.1
ip nhrp map 10.0.0.253 172.0.2.1
ip nhrp map multicast 172.0.2.2
ip nhrp map 10.0.0.251 172.0.2.2
ip nhrp map multicast 172.0.2.3
ip nhrp map 10.0.0.252 172.0.2.3
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.252 priority 2
ip nhrp nhs 10.0.0.251 priority 1
ip nhrp nhs 10.0.0.253 priority 3
ip nhrp nhs cluster 0 max-connections 3

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

125
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
Example Configuring NHS Fallback Time

ip nhrp shortcut
delay 100
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
!

Example Configuring NHS Fallback Time

The following example shows how to configure NHS fallback time to 25 seconds:

configure terminal
interface tunnel 1
ip nhrp nhs fallback 25

Example Configuring NHS Priority and Group Values

The following example shows how to group NHSs under different clusters and then assign different maximum
connection values to the clusters:

Configure terminal
interface tunnel 0
ip nhrp nhs 10.0.0.251 priority 1 cluster 1
ip nhrp map 10.0.0.251 192.0.2.4
ip nhrp map multicast 192.0.2.4
end
configure terminal
interface tunnel 0
ip nhrp nhs 10.0.0.252 priority 2 cluster 2
ip nhrp map 10.0.0.252 192.0.2.5
ip nhrp map multicast 192.0.2.5
end
configure terminal
interface tunnel 0
ip nhrp nhs 10.0.0.253 priority 3 cluster 3
ip nhrp map 10.0.0.253 192.0.2.6
ip nhrp map multicast 192.0.2.6
end
configure terminal
interface tunnel 0
ip nhrp nhs cluster 1 max 1
ip nhrp nhs cluster 2 max 1
ip nhrp nhs cluster 3 max 1
end

Additional References
Related Documents

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

126
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
Feature Information for DMVPN-Tunnel Health Monitoring and Recovery Backup NHS

MIB MIBs Link

No new or modified standards are supported by To locate and download MIBs for selected platforms, Cisco
this feature and support for existing standards has software releases, and feature sets, use Cisco MIB Locator
not been modified by this feature. found at the following URL:
http://www.cisco.com/go/mibs

RFCs

RFC Title

No new or modified RFCs are supported by this feature. --

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Feature Information for DMVPN-Tunnel Health Monitoring and

Recovery Backup NHS
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

127
DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
Feature Information for DMVPN-Tunnel Health Monitoring and Recovery Backup NHS

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 13: Feature Information for DMVPN-Tunnel Health Monitoring and Recovery Backup NHS

Feature Name Releases Feature Information

DMVPN-Tunnel Health The DMVPN-Tunnel Health Monitoring and Recovery (Backup

Monitoring and Recovery NHS) feature allows you to control the number of connections to
(Backup NHS) the DMVPN hub and allows you to switch to alternate hubs in
case of connection failure to primary hubs.
The following commands were introduced or modified: ip nhrp
nhs, ipv6 nhrp nhs, show ip nhrp nhs, show ipv6 nhrp nhs.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

128
CHAPTER 7
DMVPN Event Tracing
The DMVPN Event Tracing feature provides a trace facility for troubleshooting Cisco IOS Dynamic Multipoint
VPN (DMVPN). This feature enables you to monitor DMVPN events, errors, and exceptions. During runtime,
the event trace mechanism logs trace information in a buffer space. A display mechanism extracts and decodes
the debug data.
You can use the DMVPN Event Tracing feature to analyze the cause of a device failure. When you configure
the DMVPN Event Tracing feature, the router logs messages from specific DMVPN subsystem components
into the device memory. You can view trace messages stored in the memory or save them to a file.
• Finding Feature Information, on page 129
• Information About DMVPN Event Tracing, on page 129
• How to Configure DMVPN Event Tracing, on page 130
• Configuration Examples for DMVPN Event Tracing, on page 132
• Additional References, on page 132
• Feature Information for DMVPN Event Tracing, on page 133

Finding Feature Information

Information About DMVPN Event Tracing

Benefits of DMVPN Event Tracing
• Displays debug information on the console during runtime.
• Avoids multiple debug calls, and hence improves device performance.
• Saves memory space.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

129
DMVPN Event Tracing
DMVPN Event Tracing Options

DMVPN Event Tracing Options

The DMVPN Event Tracing feature defines the event data type, provides functionalities to capture the event,
and prints the events and the CLI extensions required to access and modify the log. The table below lists
different options that can be monitored using the DMVPN Event Tracing feature.

Table 14: DMVPN Event Trace Options

Event Type Description

NHRP Event Trace General Next Hop Resolution Protocol (NHRP) events, such as NHRP protocol,
NHRP messages, changes in NHRP data structure, NHRP NBMA or protocol
address change, and NHRP traps.

NHRP Error Trace All NHRP error events.

NHRP Exception Trace All NHRP exception events.

Tunnel Event Trace All tunnel events.

How to Configure DMVPN Event Tracing

You can configure the DMVPN Event Tracing feature in privileged EXEC mode or global configuration
mode based on the desired parameters. See the Cisco IOS Security Command Reference for information on
different parameters available in privileged EXEC mode or global configuration mode.
Perform one of the following tasks to configure the DMVPN Event Tracing feature:

Configuring DMVPN Event Tracing in Privileged EXEC Mode

Perform this task to configure DMVPN event tracing in privileged EXEC mode.

SUMMARY STEPS
1. enable
2. monitor event-trace dmvpn {nhrp {error | event | exception} | tunnel} {clear | continuous [cancel]
| disable | enable | one-shot} | tunnel}

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 monitor event-trace dmvpn {nhrp {error | event | Monitors and controls DMVPM traces.
exception} | tunnel} {clear | continuous [cancel] | disable
| enable | one-shot} | tunnel}

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

130
DMVPN Event Tracing
Configuring DMVPN Event Tracing in Global Configuration Mode

Command or Action Purpose

Example:

Router# monitor event-trace dmvpn nhrp error enable

Configuring DMVPN Event Tracing in Global Configuration Mode

Perform this task to configure DMVPN event tracing in global configuration mode.

SUMMARY STEPS
1. enable
2. configure terminal
3. monitor event-trace dmvpn {dump-file url | {nhrp {error | event | exception} | tunnel} {disable |
dump-file url | enable | size | stacktrace value}}
4. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 monitor event-trace dmvpn {dump-file url | {nhrp Monitors and controls DMVPM traces.
{error | event | exception} | tunnel} {disable | dump-file
url | enable | size | stacktrace value}}
Example:

Router(config)# monitor event-trace dmvpn nhrp

error enable

Step 4 exit Exits global configuration mode.

Example:

Router(config)# exit

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

131
DMVPN Event Tracing
Configuration Examples for DMVPN Event Tracing

Configuration Examples for DMVPN Event Tracing

Example Configuring DMVPN Event Tracing in Privileged EXEC Mode
The following example shows how to monitor NHRP error traces in privileged EXEC mode:

Router> enable
Router# monitor event-trace dmvpn nhrp error enable

Example Configuring DMVPN Event Tracing in Global Configuration Mode

The following example shows how to monitor NHRP error traces in global configuration mode:

Router> enable
Router# configure terminal
Router(config)# monitor event-trace dmvpn nhrp error enable

Additional References
Related Documents

DMVPN commands Cisco IOS Security Command Reference

Standards

Standard Title

None --

MIBs

MIB MIBs Link

None --

RFCs

RFC Title

None --

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

132
DMVPN Event Tracing
Feature Information for DMVPN Event Tracing

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Feature Information for DMVPN Event Tracing

Table 15: Feature Information for DMVPN Event Tracing

Feature Name Releases Feature Information

DMVPN Event The DMVPN Event Tracing feature provides a trace facility for
Tracing troubleshooting Cisco IOS DMVPN. This feature enables you to monitor
DMVPN events, errors, and exceptions. During runtime, the event trace
mechanism logs trace information in a buffer space. A display mechanism
extracts and decodes the debug data.
The following commands were introduced or modified: monitor
event-trace dmvpn, show monitor event-trace dmvpn.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

133
DMVPN Event Tracing
Feature Information for DMVPN Event Tracing

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

134
CHAPTER 8
NHRP MIB
The Cisco NHRP MIB feature introduces support for the NHRP MIB, which helps to manage and monitor
the Next Hop Resolution Protocol (NHRP) via Simple Network Management Protocol (SNMP). Statistics
can be collected and monitored via standards-based SNMP techniques (get operations) to query objects defined
in the NHRP MIB. The NHRP MIB is VRF aware and supports VRF aware queries.

• Finding Feature Information, on page 135

• Prerequisites for NHRP MIB, on page 135
• Restrictions for NHRP MIB, on page 136
• Information About NHRP MIB, on page 136
• How to Use NHRP MIB, on page 136
• Configuration Examples for NHRP MIB, on page 137
• Additional References, on page 139
• Feature Information for NHRP MIB, on page 140

Finding Feature Information

Prerequisites for NHRP MIB

• You should be familiar with configuring SNMP.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

135
NHRP MIB
Restrictions for NHRP MIB

Restrictions for NHRP MIB

• Cisco does not support all the MIB variables defined in RFC-2677, Definitions of Managed Objects for
the NBMA Next Hop Resolution Protocol (NHRP). For a list of variables supported and other caveats
of this feature, see the Agent Capabilities file. Cisco does not support the set operations defined in
RFC-2677.

Information About NHRP MIB

CISCO-NHRP-MIB
CISCO-NHRP-MIB provides NHRP MIB information on managed objects relating to clients only, servers
only, and clients and servers.
The NHRP MIB module contains ten tables of objects as follows:
• NHRP Cache Table
• NHRP Purge Request Table
• NHRP Client Table
• NHRP Client Registration Table
• NHRP Client NHS Table
• NHRP Client Statistics Table
• NHRP Server Table
• NHRP Server Cache Table
• NHRP Server NHC Table
• NHRP Server Statistics Table

The Cisco implementation supports all of the tables except the NHRP Purge Request Table.

RFC-2677
RFC-2677 - Definitions of Managed Objects for the NBMA Next Hop Resolution Protocol (NHRP), describes
managed objects that can be used to remotely monitor NHRP using SNMP and provide management information
on the performance of NHRP.

How to Use NHRP MIB

No special configuration is needed for this feature. The SNMP framework can be used to manage NHRP MIB.
See the section “Configuration Examples for NHRP MIB” for an example of how to manage a VRF aware
NHRP MIB.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

136
NHRP MIB
Verifying NHRP MIB Status

Verifying NHRP MIB Status

Use this task to verify the NHRP MIB status.

SUMMARY STEPS
1. enable
2. show snmp mib nhrp status

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 show snmp mib nhrp status Displays the status of the NHRP MIB.
Example:

Router# show snmp mib nhrp status

Configuration Examples for NHRP MIB

Example Verifying NHRP MIB Status
The following output is from the show snmp mib nhrp status command:

Spoke_103# show snmp mib nhrp status

NHRP-SNMP Agent Feature: Enabled
NHRP-SNMP Tree State: Good
ListEnqueue Count = 0 Node Malloc Counts = 1
Spoke_103#

The “Enabled” status of “NHRP-SNMP Agent Feature:” indicates that the NHRP MIB is enabled. If the
NHRP MIB was disabled, it would display “Disabled”. “ListEnqueue Count” and “Node Malloc Counts”
counts are internal counts. “ListEnqueue Count” indicates how many nodes are queued for freeing. “Node
Malloc Counts” displays how many nodes are allocated.

Example VRF-Aware NHRP MIB Configuration

The following is an example of how to configure a VRF Table with the name V3red, for monitoring by SNMP:

ip vrf V3red
rd 198102
! Name of the SNMP VPN context
context V3red_context
!

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

137
NHRP MIB
Example VRF-Aware NHRP MIB Configuration

crypto isakmp policy 1

encr aes
authentication pre-share
group 14
crypto isakmp key cisco47 address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
!
crypto ipsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwidth 1000
! DMVPN tunnel for V3red VPN
ip vrf forwarding V3red
ip address 10.0.0.1 255.255.255.0
ip mtu 1400
ip nhrp authentication donttell
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
no ip split-horizon eigrp 1
ip tcp adjust-mss 1360
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0
ip address 172.17.0.1 255.255.255.0
!
interface Ethernet1
ip address 192.168.0.1 255.255.255.0
!
router eigrp 1
address-family ipv4 vrf V3red
network 10.0.0.0 0.0.0.255
network 192.168.0.0 0.0.0.255
no auto-summary
autonomous-system 1
exit-address-family
!
! V2C Community ABC for VRF V3red
snmp-server group abc v2c context V3red_context read view_V3
snmp-server view view_V3 iso included
snmp-server community abc RO
snmp-server community public RO
snmp-server context V3red_context
!
!
snmp mib community-map abc context V3red_context
Spoke Configuration for DMVPN Example
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco47 address 0.0.0.0
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
!
crypto ipsec profile vpnprof
set transform-set trans2
!

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

138
NHRP MIB
Additional References

interface Tunnel0
bandwidth 1000
ip address 10.0.0.2 255.255.255.0
ip mtu 1400
ip nhrp authentication donttell
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0
ip address dhcp hostname Spoke1
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255

Additional References
Related Documents

Recommended cryptographic algorithms Next Generation Encryption

Standards

Standard Title

None --

MIBs

MIB MIBs Link

CISCO-NHRP-MIB To locate and download MIBs for selected platforms, Cisco software releases, and
feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

139
NHRP MIB
Feature Information for NHRP MIB

RFCs

RFC Title

RFC 2677 Definitions of Managed Objects for the NBMA Next Hop Resolution Protocol (NHRP)

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Feature Information for NHRP MIB

Table 16: Feature Information for NHRP MIB

Feature Name Releases Feature Information

NHRP MIB 12.4(20)T The Cisco NHRP MIB feature introduces support for the NHRP MIB, which
helps to manage and monitor Next Hop Resolution Protocol (NHRP) via Simple
Network Management Protocol (SNMP). Statistics can be collected and monitored
via standards-based SNMP techniques (get operations) to query objects defined
in the NHRP MIB.
The following commands were introduced or modified: debug snmp mib nhrp,
show snmp mib nhrp status.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

140
CHAPTER 9
DMVPN Dynamic Tunnels Between Spokes
Behind a NAT Device
The DMVPN: Dynamic Tunnels Between Spokes Behind a NAT Device feature allows Next Hop Resolution
Protocol (NHRP) spoke-to-spoke tunnels to be built in Dynamic Multipoint Virtual Private Networks
(DMVPNs), even if one or more spokes is behind a Network Address Translation (NAT) device.
• Finding Feature Information, on page 141
• Restrictions for DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device, on page 141
• Information About DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device, on page 142
• Additional References, on page 146
• Feature Information for DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device, on page
147

Finding Feature Information

Restrictions for DMVPN Dynamic Tunnels Between Spokes

Behind a NAT Device
In order for spokes to build tunnels between them, they need to know the post-NAT address of the other spoke.
Consider the following restrictions when using spoke-to-spoke tunneling in NAT environments:
• Multiple NAT translations --A packet can go across multiple NAT devices in a nonbroadcast multiaccess
(NBMA) DMVPN cloud and make several (unimportant) translations before it reaches its destination.
The last translation is the important translation because it is used to create the NAT translation for all
devices that reach a spoke through the last NAT device.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

141
DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device
Information About DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device

• Hub or spoke can be reached through pre-NAT addresses --It is possible for two or more spokes to
be behind the same NAT device, which can be reached through a pre-NAT IP address. Only the post-NAT
IP address is relied on even if it means that a tunnel may take a less desirable path. If both spokes use
NAT through the same device, then a packet may not travel inside-out or outside-in as expected by the
NAT device and translations may not occur correctly.
• Interoperability between NAT and non-NAT capable devices --In networks that are deployed with
DMVPN, it is important that a device with NHRP NAT functionality operate together with non-NAT
supported devices. A capability bit in the NHRP packet header indicates to any receiver whether a sending
device understands a NAT extension.
• Same NAT translation --A spoke’s post-NAT IP address must be the same when the spoke is
communicating with its hubs and when it is communicating with other spokes. For example, a spoke
must have the same post-NAT IP address no matter where it is sending tunnel packets within the DMVPN
network.
• If one spoke is behind one NAT device and another different spoke is behind another NAT device, and
Peer Address Translation (PAT) is the type of NAT used on both NAT devices, then a session initiated
between the two spokes cannot be established.

One example of a PAT configuration on a NAT interface is:

ip nat inside source list nat_acl interface FastEthernet0/1 overload

Information About DMVPN Dynamic Tunnels Between Spokes

Behind a NAT Device
The following sections describe how DMVPN: Dynamic Tunnels Between Spokes Behind a NAT Device
allows spoke-to-spoke tunnels to be built even if one or both spoke devices are behind a NAT device:

DMVPN Spoke-to-spoke Tunneling Limited to Spokes not Behind a NAT Device

NAT allows a single device, such as a router, to act as agent between the Internet (or “public network”) and
a local (or “private”) network, and is often used because of the scarcity of available IP addresses. A single
unique IP address is required to represent an entire group of devices to anything outside the NAT devi ce.
NAT is also deployed for security and administration purposes.
In DMVPN networks, spoke-to-spoke tunneling is limited to spokes that are not behind the NAT device. If
one or both spokes are behind a NAT device, a spoke-to-spoke tunnel cannot be built to or from the NAT
device because it is possible for the spoke-to-spoke tunnel traffic to fail or be lost “black-holed” for an extended
period of time.
The diagram below and the following sections describe how DMVPN works when spoke-to-spoke tunneling
is limited to spokes that are not behind a NAT device.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

142
DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device
NHRP Registration

Figure 7: Implementation of DMVPN Spoke-to-spoke Tunneling Limited to Spokes Not Behind a NAT Device

NHRP Registration
When an NHRP registration is received, the hub checks the source IP address on the encapsulating GRE/IP
header of the NHRP packet with the source NBMA IP address, which is contained in the NHRP registration
packet. If these IP addresses are different, then NHRP knows that NAT is changing the outer IP header source
address. The hub preserves both the pre- and post-NAT address of the registered spoke.

Note If encryption is used, then IPsec transport mode must be used to enable NHRP.

The following show ip nhrp command output example shows the source IP address of the NHRP packet and
tunnel information for Spoke B in the figure above:

Note The NBMA (post-NAT) address for Spoke B is 172.18.2.1 (the claimed NBMA (pre-NAT) source address
is 172.16.2.1).

Router# show ip nhrp

10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:21, expire 00:05:38
Type: dynamic, Flags: authoritative unique registered used
NBMA address: 172.18.2.1
(Claimed NBMA address: 172.16.2.1)

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

143
DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device
NHRP Resolution

NHRP Resolution
The following describes the NHRP resolution process between Spoke A and Spoke B shown in the figure
above, where Spoke B is behind a NAT device with pre-NAT address of 172.16.2.1 and a post-NAT address
of 172.18.2.1:
• The NHRP table entry for Spoke B on the hub contains both the post-NAT and pre-NAT addresses.
When the hub receives an NHRP resolution request for the VPN address (tunnel address) of Spoke B, it
answers with its own NBMA address instead of Spoke B’s NBMA address.
• When the hub receives an NHRP resolution request sourced from Spoke B for any other spoke, the hub
also answers with its own NBMA address. This ensures that any attempt to build a spoke-to-spoke tunnel
with Spoke B results in the data packets being sent through the hub rather than through a spoke-to-spoke
tunnel.

For example:
• • Data traffic from source IP address 192.168.1.1 (behind Spoke A) to destination IP address
192.168.2.1 (behind Spoke B) triggers Spoke A to send a resolution request for Spoke B (10.0.0.12)
to the next hop router (hub).
• The hub receives the resolution request and finds a mapping entry for Spoke B (10.0.0.12). Because
Spoke B is behind a NAT device, it acts as a proxy and replies with its own NBMA address
(172.17.0.1).
• The hub also receives a resolution request from Spoke B for Spoke A (10.0.0.11). Because Spoke
B is behind a NAT device, it acts as a proxy and replies with its own NBMA address (172.17.0.1).
This restricts any spoke-to-spoke traffic to or from Spoke B to travel through the hub router, which
is done rather than having a tunnel between the spokes.

NHRP Spoke-to-Spoke Tunnel with a NAT Device

The NHRP Spoke-to-Spoke Tunnel with NAT introduces NAT extension in the NHRP protocol and is enabled
automatically. The NHRP NAT extension is a Client Information Entry (CIE) entry with information about
the protocol and post-NAT NBMA address. This additional information allows the support of spoke-to-spoke
tunnels between spokes where one or both are behind a NAT device without the problem of losing (black-holing)
traffic for an extended period of time.

Note The spoke-to-spoke tunnel may fail to come up, but it is detected and the data traffic flows through the hub,
rather than being lost (black-holed).

the diagram below shows how the NHRP spoke-to-spoke tunnel works with NAT.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

144
DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device
NHRP Registration Process

Figure 8: NHRP Between Spoke-to-Spoke Tunnels

NHRP Registration Process

The following steps describe the NHRP registration process:
1. A spoke sends a registration request with the NAT-Capability=1 parameter and a NAT NHRP extension
of the NBMA address of the hub as configured on the spoke.
2. The hub compares the NHRP (NAT) extension with its configured NBMA address and determines whether
it itself is or is not behind a NAT device. The hub also makes a note of whether the spoke is behind a
NAT device by comparing the incoming GRE/IP source address with the spoke’s NBMA address in the
NHRP packet.
3. The registration reply from the hub to the spoke includes a NAT NHRP extension with the post-NAT
address of the spoke, if the hub detects if it is behind a NAT device.
4. If the spokes get a NAT NHRP extension in the NHRP registration reply it then records its post-NAT IP
address for possible use later.

NHRP Resolution and Purge Process

The following steps describe the NHRP resolution and purge process:
1. When a spoke is behind a NAT device, it includes a NAT NHRP extension when it sends NHRP resolution
requests.
2. The hub receives the resolution request. If the spoke is behind a NAT device and there is no NAT extension,
then the hub adds a NAT extension before forwarding this extension to the next node (spoke or next hop

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

145
DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device
Additional References

server) along the path. However, if the hub is forwarding the request to a non-NAT extension capable
node, it rewrites the source-NBMA inside the packet to be the post-NAT IP address for the requesting
spoke rather than its pre-NAT IP address.
3. The receiver (spoke) uses a NAT NHRP extension record (NAT capable) or the source NBMA address
(non-NAT capable information) to build the tunnel. This spoke’s reply includes its own NAT extension
if it is behind a NAT device.

Note Hubs do not answer NHRP resolution requests on behalf of spokes. Hubs always forward NHRP resolution
requests to the end spoke that has the requested tunnel IP address or services the requested data from the host
IP address.

The following describes the NHRP resolution process between Spoke A and Spoke B shown in the figure
above, where Spoke B is behind a NAT device with pre-NAT address 172.16.2.1 and post-NAT address of
172.18.2.1:
• Data traffic to the 192.168.2.0/24 network from hosts behind Spoke A triggers an NHRP resolution
request for Spoke B’s tunnel IP address (10.0.0.12) to be sent through the hub. The hub receives a
resolution request and forwards it to Spoke B. Spoke B creates a dynamic spoke-to-spoke tunnel using
the source NBMA IP address for Spoke A from the NHRP resolution request and sends an NHRP
resolution reply directly to Spoke A. It includes its post-NAT address in the NAT NHRP-extension
header.
• Alternatively, traffic to the192.168.1.0/24 network from hosts behind the NAT device on Spoke B triggers
an NHRP resolution request for Spoke A’s tunnel IP address (10.0.0.11). Spoke B adds its own post-NAT
IP address in the NHRP NAT-extension in the resolution request. The hub receives a resolution request
and forwards it to Spoke A. Spoke A parses the NHRP NAT-extension and builds a tunnel using Spoke
B’s post-NAT address and replies directly to Spoke B.

Additional References
Related Documents

Dynamic multipoint VPN Dynamic Multipoint VPN (DMVPN)

Standards

Standard Title

No new or modified standards are supported by this feature, and support for existing standards has not --
been modified by this feature.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

146
DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device
Feature Information for DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device

MIBs

MIB MIBs Link

• No new or modified MIBs are supported To locate and download MIBs for selected platforms, Cisco
by this feature, and support for existing IOS software releases, and feature sets, use Cisco MIB
MIBs has not been modified by this feature. Locator found at the following URL:
http://www.cisco.com/go/mibs

RFCs

RFC Title

No new or modified RFCs are supported by this release. --

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including http://www.cisco.com/techsupport
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
To receive security and technical information about your products, you
can subscribe to various services, such as the Product Alert Tool (accessed
from Field Notices), the Cisco Technical Services Newsletter, and Really
Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com
user ID and password.

Feature Information for DMVPN Dynamic Tunnels Between

Spokes Behind a NAT Device
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 17: Feature Information for DMVPN: Dynamic Tunnels Between Spokes Behind a NAT Device

Feature Name Releases Feature Information

DMVPN: Dynamic Tunnels 12.4(15)T The DMVPN: Dynamic Tunnels Between Spokes Behind a
Between Spokes Behind a NAT NAT Device feature allows NHRP spoke-to-spoke tunnels
Device to be built in DMVPN networks, even if one or more spokes
is behind a Network Address Translation (NAT) device.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

147
DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device
Feature Information for DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

148
CHAPTER 10
DHCP Tunnels Support
The DHCP Tunnels Support feature provides the capability to configure the node (or spoke) of the generic
routing encapsulation (GRE) tunnel interfaces dynamically using DHCP.
In a Dynamic Multipoint VPN (DMVPN) network, each participating spoke must have a unique IP address
belonging to the same IP subnet. It is difficult for a network administrator to configure the spoke addresses
manually on a large DMVPN network. Hence, DHCP is used to configure the spoke address dynamically on
a DMVPN network.
• Finding Feature Information, on page 149
• Restrictions for DHCP Tunnels Support, on page 149
• Information About DHCP Tunnels Support, on page 150
• How to Configure DHCP Tunnels Support, on page 151
• Configuration Examples for DHCP Tunnels Support, on page 153
• Additional References, on page 154
• Feature Information for DHCP Tunnels Support, on page 155

Finding Feature Information

Restrictions for DHCP Tunnels Support

• The DHCP functionality of address validation is not supported on DMVPN.
• The DHCP IP address is not assigned to the spoke when configured in DMVPN phase 1.
• When you register the spoke to the hub using the ip nhrp nhs {dynamic nbma nbma-address |
FQDN-string} [multicast] command, the unicast adjacency is only created after the session comes up.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

149
DHCP Tunnels Support
Information About DHCP Tunnels Support

• When using the Dual-hub single-DMVPN topology, Cisco DHCP server automatically changes the
unicast flag to broadcast mode. To prevent this automatic change, run the following command on the
Cisco DHCP server:
no ip dhcp auto-broadcast

• When DHCP is configured on an interface, the interface may take more time than usual to shutdown.

Information About DHCP Tunnels Support

DHCP Overview
DHCP is based on the Bootstrap Protocol (BOOTP), which provides the framework for passing configuration
information to hosts on a TCP/IP network. DHCP adds the capability to automatically allocate reusable network
addresses and configuration options to Internet hosts. DHCP consists of two components: a protocol for
delivering host-specific configuration parameters from a DHCP server to a host and a mechanism for allocating
network addresses to hosts. DHCP is built on a client/server model, where designated DHCP server hosts
allocate network addresses and deliver configuration parameters to dynamically configured hosts. See the
“DHCP” section of the Cisco IOS IP Addressing Configuration Guide for more information.

DHCP Behavior on a Tunnel Network

DMVPN spoke nodes establish a tunnel with a preconfigured DMVPN next hop server (NHS) (hub node)
and exchange IP packets with the NHS before an IP address is configured on the tunnel interface. This allows
the DHCP client on the spoke and the DHCP relay agent or the DHCP server on the NHS to send and receive
the DHCP messages. A DHCP relay agent is any host that forwards DHCP packets between clients and servers.
When the tunnel on a spoke is in the UP state or becomes active, the spoke establishes a tunnel with the
preconfigured hub node. The tunnel formation may include setting up IP Security (IPsec) encryption for the
tunnel between the spoke and the hub. DHCP receives the GRE tunnel interface UP notification only after
the spoke establishes a tunnel with the hub. The DHCP client configured on the spoke must exchange the
DHCP IP packets with the hub (DHCP relay agent or server) to obtain an IP address for the GRE tunnel
interface. Therefore, the spoke-to-hub tunnel must be in active state before the GRE tunnel interface UP
notification is sent to the DHCP server or the relay agent.
IP packets that are broadcast on the DMVPN spoke reach the DMVPN hub. The spoke broadcasts a
DHCPDISCOVER message to the DHCP relay agent on the DMVPN hub, before the spoke has an IP address
on the GRE tunnel interface. By using the DHCPDISCOVER message, DHCP unicasts the offer back to the
client. The hub cannot send IP packets to the spoke before the hub receives a Next Hop Resolution Protocol
(NHRP) registration from the spoke. The DHCP relay agent configured on the DMVPN hub adds mapping
information to the DHCP client packets (DHCPDISCOVER and DHCPREQUEST).
Depending on whether the hub is a DHCP server or a DHCP relay agent, the mapping is handled differently.
• If the hub is a DHCP server, the Non-Broadcast Multiple Access (NBMA) address is known and a
temporary mapping is created on the hub. The hub then unicasts a reply to the spoke.
• If the hub is a DHCP relay agent, the server behind the relay assigns the address. To preserve the NBMA
address of the spoke, the address is attached to the DHCP message. When the reply is received, the
NBMA address is fetched from the message. The address is sent to the spoke to create the mapping.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

150
DHCP Tunnels Support
DMVPN Hub as a DHCP Relay Agent

Note The NHRP registration sent by the spoke is suppressed until DHCP obtains an address for the GRE tunnel
interface. Hence allows reliable exchange of standard DHCP messages.

DMVPN Hub as a DHCP Relay Agent

Relay agents are not required for DHCP to work. Relay agents are used only when the DHCP client and server
are in different subnets. The relay agent acts as a communication channel between the DHCP client and server.
The DHCP--Tunnels Support feature requires the DMVPN hub to act as a relay agent to relay the DHCP
messages to the DHCP server.
The DHCP server is located outside the DMVPN network and is accessible from the DMVPN hub nodes
through a physical path. The spoke nodes reach the DHCP servers through the hub-to-spoke tunnel (GRE
tunnel). The DHCP server is not directly reachable from the DMVPN spoke. The DHCP relay agent on the
DMVPN hub helps the DHCP protocol message exchange between the DHCP client on the spoke and the
DHCP server.

DMVPN Topologies
Dual-Hub Single-DMVPN Topology
In a dual-hub single-DMVPN topology, both the hubs must be connected to the same DHCP server that has
the high availability (HA) support to maintain DMVPN redundancy. If the hubs are connected to different
DHCP servers, they must be configured with mutually exclusive IP address pools for address allocation.

Dual-Hub Dual-DMVPN Topology

In the dual-hub dual-DMVPN topology, each hub is connected to a separate DHCP server. The DMVPN hubs
(DHCP relay agents) include a client-facing tunnel IP address in the relayed DHCP requests. DHCP requests
are used by the DHCP server to allocate an IP address from the correct pool.

Hierarchical DMVPN Topology

In a DMVPN hierarchical topology, there are multiple levels of DMVPN hubs. However, all the tunnel
interface IP addresses are allocated from the same IP subnet address. The DHCP client broadcast packets are
broadcast to the directly connected hubs. Hence, the DMVPN hubs at all levels must either be DHCP servers
or DHCP relay agents. If DHCP servers are used then the servers must synchronize their databases. The
DMVPN hubs must be configured as DHCP relay agents to forward the DHCP client packets to the central
DHCP servers. If the DHCP server is located at the central hub, all DHCP broadcasts are relayed through the
relay agents until they reach the DHCP server.

How to Configure DHCP Tunnels Support

Configuring the DHCP Relay Agent to Unicast DHCP Replies
Perform this task to configure the DHCP relay agent (hub) to unicast DHCP replies.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

151
DHCP Tunnels Support
Configuring a DMVPN Spoke to Clear the Broadcast Flag

By default, the DHCP replies are broadcast from the DMVPN hub to the spoke. Therefore a bandwidth burst
occurs. The DHCP Tunnels Support feature does not function if the DHCP messages are broadcast. Hence,
you must configure the DHCP relay agent to unicast the DHCP messages for the DHCP to be functional in a
DMVPN environment.

SUMMARY STEPS
1. enable
2. configure terminal
3. ip dhcp support tunnel unicast
4. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 ip dhcp support tunnel unicast Configures a spoke-to-hub tunnel to unicast DHCP replies
over the DMVPN network.
Example:

Router(config)# ip dhcp support tunnel unicast

Step 4 exit Exits global configuration mode.

Example:

Router(config)# exit

Configuring a DMVPN Spoke to Clear the Broadcast Flag

Perform this task to configure a DMVPN spoke to clear the broadcast flag.
By default, DMVPN spokes set the broadcast flag in the DHCP DISCOVER and REQUEST messages.
Therefore the DHCP relay agent is forced to broadcast the DHCP replies back to the spokes, even though the
relay agent has sufficient information to unicast DHCP replies. Hence, you must clear the broadcast flag from
the DMVPN spoke.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

152
DHCP Tunnels Support
Configuration Examples for DHCP Tunnels Support

4. ip dhcp client broadcast-flag clear

5. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Router# configure terminal

Step 3 interface tunnel number Configures a tunnel interface and enters interface
configuration mode.
Example:

Router(config)# interface tunnel 1

Step 4 ip dhcp client broadcast-flag clear Configures the DHCP client to clear the broadcast flag.
Example:

Router(config-if)# ip dhcp client broadcast-flag

clear

Step 5 exit Exits interface configuration mode and returns to global

configuration mode.
Example:

Router(config-if)# exit

Configuration Examples for DHCP Tunnels Support

Example Configuring a DHCP Relay Agent to Unicast DHCP Replies
The following example shows how to configure a DHCP relay agent to unicast DHCP replies:

Device# configure terminal

Device(config)# ip dhcp support tunnel unicast
Device(config)# exit
.
.
.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

153
DHCP Tunnels Support
Example Configuring a DMVPN Spoke to Clear the Broadcast Flag and Set the IP Address to DHCP

Example Configuring a DMVPN Spoke to Clear the Broadcast Flag and Set the
IP Address to DHCP
The following example shows how to configure a DMVPN spoke to clear the broadcast flag and set the IP
address to DHCP:

Device# configure terminal

Device(config)# interface tunnel 1
Device(config-if)# ip dhcp client broadcast-flag clear
Device(config-if)# exit

Additional References
Related Documents

Cisco IOS security commands Cisco IOS Security Command Reference

Cisco IOS IP addressing configuration tasks Cisco IOS IP Addressing Configuration Guide

Cisco IOS IP addressing services commands Cisco IOS IP Addressing Services Command Reference

Standards

Standard Title

-- No new or modified standards are supported by this feature, and support for existing standards
has not been modified by this feature.

MIBs

MIB MIBs Link

RFCs

RFC Title

RFC 2131 Dynamic Host Configuration Protocol

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

154
DHCP Tunnels Support
Feature Information for DHCP Tunnels Support

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Feature Information for DHCP Tunnels Support

Table 18: Feature Information for DHCP-Tunnels Support

Feature Name Releases Feature Information

DHCP--Tunnels Cisco IOS XE The DHCP--Tunnels Support feature provides the capability
Support Release 16.12 to configure the node (or spoke) of the GRE tunnel interfaces
dynamically using DHCP.
The following commands were introduced or modified: ip
address dhcp, ip dhcp client broadcast-flag, ip dhcp
support tunnel unicast.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

155
DHCP Tunnels Support
Feature Information for DHCP Tunnels Support

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

156
CHAPTER 11
Sharing IPsec with Tunnel Protection
The Sharing IPsec with Tunnel Protection feature allows sharing an IPsec security association database (SADB)
between two or more generic routing encapsulation (GRE) tunnel interfaces when tunnel protection is used.
Shared tunnel interfaces have a single underlying cryptographic SADB, cryptographic map, and IPsec profile
in the Dynamic Multipoint Virtual Private Network (DMVPN) configuration.
The Sharing IPsec with Tunnel Protection feature is required in some DMVPN configurations. If IPsec SA
sessions are not shared within the same IPsec SADB, an IPsec SA may be associated with the wrong IPsec
SADB and therefore with the wrong tunnel interface, thereby causing duplicate IPsec security associations
(SAs) and tunnel interfaces to flap, which in turn results in network connectivity problems.

Note Security threats and the cryptographic technologies to help protect against such threats are constantly changing.
For more information about the latest Cisco cryptographic recommendations, see the Next Generation
Encryption (NGE) white paper.

• Finding Feature Information, on page 157

• Restrictions for Sharing IPsec with Tunnel Protection, on page 158
• Information About Sharing IPsec with Tunnel Protection, on page 159
• How to Share an IPsec Session Between Multiple Tunnels, on page 160
• Configuration Examples for Sharing IPsec with Tunnel Protection, on page 161
• Additional References for Sharing IPsec with Tunnel Protection, on page 171
• Feature Information for Sharing IPsec with Tunnel Protection, on page 172
• Glossary, on page 173

Finding Feature Information

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

157
Sharing IPsec with Tunnel Protection
Restrictions for Sharing IPsec with Tunnel Protection

Restrictions for Sharing IPsec with Tunnel Protection

• If two or more generic route encapsulation (GRE) tunnel interfaces share the same tunnel source interface
and one of the GRE tunnel interface is an multipoint generic route encapsulation (mGRE) tunnel interface,
all tunnels with the same tunnel source must use different tunnel keys, the same IPsec profile name, and
the shared keyword with the tunnel protection command.
• If there are multiple point-to-point GRE tunnel interfaces that share the same tunnel source interface
with the same tunnel destination address, the GRE tunnels must use different tunnel keys, the same IPsec
profile name, and the shared keyword in the tunnel protection command.
• Shared tunnel protection is not required and should not be used when several point-to-point GRE tunnels
share the same tunnel source but have unique tunnel destination IP addresses.
• The tunnel source command on all tunnel interfaces that use shared tunnel protection must be configured
using the interface type and number and not the IP address.

Note It is recommended that the tunnel source command be configured with an

interface than an IP address on all GRE tunnels.

• Different IPsec profile names must be used for shared and unshared tunnels. For example, if “tunnel 1”
is configured with the tunnel source loopback1 command, and “tunnel 2” and “tunnel 3” are shared
using the tunnel source loopback2 command, use separate IPsec profiles, for example, define
IPsec_profile_1 for tunnel 1 and IPsec_profile_2 for tunnels 2 and 3.
• Different IPsec profile must be used for each set of shared tunnels. For example, if tunnels 1 through 5
use tunnel source loopback1 and tunnels 6 through 10 use tunnel source loopback2, use IPsec_profile_1
for tunnels 1 through 5 and ipsec_profile_2 for tunnels 6 through 10.
• There are few exceptions to the above rules:
• Several mGRE tunnels sharing the same tunnel source interface can be configured without the
shared keyword in the tunnel protection command if they use different IPsec profiles with different
IPsec transform sets. Different IPsec transform sets disambiguate tunnel setup in this case. Each
mGRE tunnel interface must still be configured with a different tunnel key. This applies to several
mGRE tunnels and point-to-point GRE tunnels sharing the same tunnel source. This method cannot
be used if several point-to-point GRE tunnels share the same tunnel source interface and the same
tunnel destination address.
• Sometimes, it may be desirable not to share an IPsec session between two or more tunnel interfaces
using the same tunnel source. For example, in a service provider environment, each DMVPN cloud
can represent a different customer. It is desirable to lock the connections from a customer to a tunnel
interface and not share or allow IPsec sessions from other customers. In such scenarios, Internet
Security Association and Key Management Protocol (ISAKMP) profiles can be used to identify
and bind customer connections to an ISAKMP profile and through that to an IPsec profile. This
ISAKMP profile limits the IPsec profile to accept only those connections that match the corresponding
ISAKMP profile. Separate ISAKMP and IPsec profiles can be obtained for each DMVPN cloud
(tunnel interface) without sharing the same IPsec Security Association Database (SADB).

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

158
Sharing IPsec with Tunnel Protection
Information About Sharing IPsec with Tunnel Protection

Note An exception is multiple ISAKMP sessions between same peers, which will not
work. For example, in a dual hub dual DMVPN setup, the security associations
(SAs) for the second tunnel interface between the hubs will not come up without
sharing the SADB. Hence, the hubs cannot register to themselves on both mGRE
tunnel interfaces without using the shared keyword in the IPsec profile.

• Shared tunnel protection is not supported for a IPsec virtual tunnel interface (VTI). If there are VTI
tunnels sharing the same tunnel source with other GRE or mGRE tunnels that have shared tunnel
protection, these VTI tunnels should be configured with different IPsec profiles without using the shared
keyword.

Information About Sharing IPsec with Tunnel Protection

Single IPsec SA
In a dual-hub, dual-DMVPN topology, it is possible to have two or more generic route encapsulation (GRE)
tunnel sessions (same tunnel source and destination, but different tunnel keys) between the same two endpoints.
In this case, it is desirable to use a single IPsec SA to secure both GRE tunnel sessions. It is also not possible
to decide under which tunnel interface an IPsec Quick Mode (QM) request must be processed and bound
when two tunnel interfaces use the same tunnel source.
The tunnel protection IPsec profile shared command is used to create a single IPsec SADB for all the tunnel
interfaces that use the same profile and tunnel source interface. This allows a single IPsec SA to be used for
all GRE tunnels (same tunnel source and destination, but different tunnel keys) between the same two endpoints.
It also makes IPsec QM processing unambiguous because there is one SADB to process the incoming IPsec
QM request for all shared tunnel interfaces as opposed to multiple SADBs, one for each tunnel interface when
the tunnel interface is not shared.
The SA of a QM proposal to a tunnel interface is processed by using the shared SADB and crypto map
parameters. On the crypto-data plane, the decrypted and GRE decapsulated packets are demultiplexed to the
appropriate tunnel interface by the GRE module using a local address, remote address, and optional tunnel
key information.

Note The tunnel source, tunnel destination, and tunnel key (triplet) must be unique for all tunnel interfaces on a
device. For a multipoint GRE interfaces where the tunnel destination is not configured, the pair (tunnel source
and tunnel key) must be unique. Incoming GRE packets are also matched to point-to-point GRE tunnels first;
if there is no match, they are matched to mGRE tunnels.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

159
Sharing IPsec with Tunnel Protection
How to Share an IPsec Session Between Multiple Tunnels

How to Share an IPsec Session Between Multiple Tunnels

Sharing an IPsec SADB Between Multiple Tunnel Interfaces in a DMVPN
SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. tunnel source {ip-address | interface-type number}
5. tunnel protection IPsec profile name shared
6. end
7. Repeat this task to configure additional spokes.

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Device# configure terminal

Step 3 interface tunnel number Configures a tunnel interface and enters interface
configuration mode.
Example:
• The number argument specifies the number of the
Device(config)# interface tunnel 5 tunnel interface that you want to create or configure.
There is no limit on the number of tunnel interfaces
that you can create.

Step 4 tunnel source {ip-address | interface-type number} Sets the source IP address or source interface type and
number for a tunnel interface.
Example:
• When using the tunnel protection IPsec profile
Device(config-if)# tunnel source Ethernet 0 shared command, the tunnel source must specify an
interface, not an IP address.

Step 5 tunnel protection IPsec profile name shared Associates a tunnel interface with an IPsec profile.
Example: • The name argument specifies the name of the IPsec
profile; this value must match the name specified in
the crypto IPsec profile name command.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

160
Sharing IPsec with Tunnel Protection
Configuration Examples for Sharing IPsec with Tunnel Protection

Command or Action Purpose

• The shared keyword allows IPsec sessions to be shared
Device(config-if)# tunnel protection IPsec profile
between multiple tunnel interfaces that are configured
vpnprof shared
with the same tunnel source IP.

Step 6 end Returns to privileged EXEC mode.

Example:

Device(config-if)# end

Step 7 Repeat this task to configure additional spokes. —

Configuration Examples for Sharing IPsec with Tunnel

Protection
Example: Sharing IPsec Sessions Between Multiple Tunnels
The following example shows how to share IPsec sessions between multiple tunnels. This example uses the
dual-hub router, dual-DMVPN topology as shown in the figure below and has the following attributes:
• Each hub device is configured with a single multipoint generic routing encapsulation (mGRE) tunnel
interface.
• Each hub device is connected to one DMVPN subnet (blue cloud), and the spokes are connected to both
DMVPN 1 and DMVPN 2.
• Each spoke device is configured with two mGRE tunnel interfaces.
• One mGRE tunnel interface belongs to DMVPN 1, and the other mGRE tunnel interface belongs to
DMVPN 2.
• Each mGRE tunnel interface is configured with the same tunnel source IP address and uses shared tunnel
protection between them.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

161
Sharing IPsec with Tunnel Protection
Hub 1 Configuration

Figure 9: Dual-Hub Router and Dual-DMVPN Topology

Hub 1 Configuration
The Hub 1 and Hub 2 configurations are similar, except that each hub belongs to a different DMVPN.
Hub 1 has the following DMVPN configuration:
• IP subnet: 10.0.0.0/24
• Next Hop Resolution Protocol (NHRP) network ID: 100000
• Tunnel key: 100000
• Dynamic routing protocol: Enhanced Interior Gateway Routing Protocol (EIGRP)

!
hostname Hub1
!
crypto isakmp policy 1
encryption aes
authentication pre-share
group 14
crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0
!
crypto IPsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
!
crypto IPsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
ip mtu 1400
no ip next-hop-self eigrp 1

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

162
Sharing IPsec with Tunnel Protection
Hub 2 Configuration

ip nhrp authentication test

ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 600
no ip split-horizon eigrp 1
ip tcp adjust-mss 1360
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection IPsec profile vpnprof
!
interface Ethernet0
ip address 172.16.0.1 255.255.255.252
!
interface Ethernet1
ip address 192.168.0.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.0.0 0.0.0.255
no auto-summary
!

Hub 2 Configuration
Hub 2 has the following DMVPN configuration:
• IP subnet: 10.0.1.0/24
• NHRP network ID: 100001
• Tunnel key: 100001
• Dynamic routing protocol: EIGRP

!
hostname Hub2
!
crypto isakmp policy 1
encryption aes
authentication pre-share
group 14
crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0
!
crypto IPsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
!
crypto IPsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwidth 1000
ip address 10.0.1.1 255.255.255.0
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 100001
ip nhrp holdtime 600
no ip split-horizon eigrp 1
ip tcp adjust-mss 1360

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

163
Sharing IPsec with Tunnel Protection
Spoke 1 Configuration

delay 1000
tunnel source Ethernet 0
tunnel mode gre multipoint
tunnel key 100001
tunnel protection IPsec profile vpnprof
!
interface Ethernet0
ip address 172.16.0.5 255.255.255.252
!
interface Ethernet1
ip address 192.168.0.2 255.255.255.0
!
router eigrp 1
network 10.0.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
no auto-summary
!

Spoke 1 Configuration
Spoke 1 has the following DMVPN configuration:

!
hostname Spoke1
!
crypto isakmp policy 1
encryption aes
authentication pre-share
group 14
crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0
!
crypto IPsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
!
crypto IPsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.11 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map 10.0.0.1 172.16.0.1
ip nhrp map multicast 172.16.0.1
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Ethernet 0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection IPsec profile vpnprof shared
!
interface Tunnel1
bandwidth 1000
ip address 10.0.1.11 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map 10.0.1.1 172.16.0.5
ip nhrp map multicast 172.16.0.5
ip nhrp network-id 100001
ip nhrp holdtime 300

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

164
Sharing IPsec with Tunnel Protection
Spoke 2 Configuration

ip nhrp nhs 10.0.1.1

ip tcp adjust-mss 1360
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100001
tunnel protection IPsec profile vpnprof shared
!
interface Ethernet 0
ip address dhcp hostname Spoke1
!
interface Ethernet1
ip address 192.168.1.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 10.0.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
no auto-summary
!

Spoke 2 Configuration
Spoke 2 has the following DMVPN configuration:

!
hostname Spoke2
!
crypto isakmp policy 1
encryption aes
authentication pre-share
group 14
crypto isakmp key cisco47 address 0.0.0.0 0.0.0.0
!
crypto IPsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
!
crypto IPsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.12 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map 10.0.0.1 172.16.0.1
ip nhrp map multicast 172.16.0.1
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Ethernet 0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection IPsec profile vpnprof shared
!
interface Tunnel1
bandwidth 1000
ip address 10.0.1.12 255.255.255.0
ip mtu 1400
ip nhrp authentication test
ip nhrp map 10.0.1.1 172.16.0.5

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

165
Sharing IPsec with Tunnel Protection
Spoke 1 Output

ip nhrp map multicast 172.16.0.5

ip nhrp network-id 100001
ip nhrp holdtime 300
ip nhrp nhs 10.0.1.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100001
tunnel protection IPsec profile vpnprof shared
!
interface Ethernet 0
ip address dhcp hostname Spoke2
!
interface Ethernet1
ip address 192.168.2.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 10.0.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
no auto-summary
!

Spoke 1 Output
Spoke 1 displays the following output for its DMVPN configuration:

Spoke1# show ip nhrp

10.0.0.1/32 via 10.0.0.1, Tunnel0 created 00:06:52, never expire

Type: static, Flags: used
NBMA address: 172.16.0.1
10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:03:17, expire 00:01:52
Type: dynamic, Flags: router
NBMA address: 172.16.0.12
10.0.1.1/32 via 10.0.1.1, Tunnel1 created 00:13:45, never expire
Type: static, Flags: used
NBMA address: 172.16.0.5
10.0.1.12/32 via 10.0.1.12, Tunnel1 created 00:00:02, expire 00:04:57
Type: dynamic, Flags: router
NBMA address: 172.16.0.12

Spoke1# show crypto socket

Note There are only three crypto connections because the two NHRP sessions (10.0.0.12, Tunnel0) and (10.0.1.12,
Tunnel1) are only one IPsec session, because they both have the same nonbroadcast multiaccess (NBMA)
IPsec peer address.

Number of Crypto Socket connections 3

Shd Peers (local/remote): 172.17.0.11
/172.17.0.12
Local Ident (addr/mask/port/prot): (172.16.0.11/255.255.255.255/0/47)
Remote Ident (addr/mask/port/prot): (172.16.0.12/255.255.255.255/0/47)
Flags: shared
IPsec Profile: "vpnprof"
Socket State: Open
Client: "TUNNEL SEC" (Client State: Active)
Shd Peers (local/remote): 172.16.0.11

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

166
Sharing IPsec with Tunnel Protection
Spoke 1 Output

/172.17.0.5
Local Ident (addr/mask/port/prot): (172.16.0.11/255.255.255.255/0/47)
Remote Ident (addr/mask/port/prot): (172.16.0.5/255.255.255.255/0/47)
Flags: shared
IPsec Profile: "vpnprof"
Socket State: Open
Client: "TUNNEL SEC" (Client State: Active)
Shd Peers (local/remote): 172.16.0.11
/172.17.0.1
Local Ident (addr/mask/port/prot): (172.17.0.11/255.255.255.255/0/47)
Remote Ident (addr/mask/port/prot): (172.17.0.1/255.255.255.255/0/47)
Flags: shared
IPsec Profile: "vpnprof"
Socket State: Open
Client: "TUNNEL SEC" (Client State: Active)
Crypto Sockets in Listen state:
Client: "TUNNEL SEC" Profile: "vpnprof" Map-name: "vpnprof-head-1"

Spoke1# show crypto map

Crypto Map: "vpnprof-head-1" idb: Ethernet0/0 local address: 172.16.0.11

Crypto Map "vpnprof-head-1" 65536 IPsec-isakmp
Profile name: vpnprof
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
trans2,
}
Crypto Map "vpnprof-head-1" 65537 IPsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 172.17.0.5
Extended IP access list
access-list permit gre host 172.16.0.11 host 172.16.0.5
Current peer: 172.17.0.5
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
trans2,
}
Crypto Map "vpnprof-head-1" 65538 IPsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 172.17.0.1
Extended IP access list
access-list permit gre host 172.16.0.11 host 172.16.0.1
Current peer: 172.17.0.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
trans2,
}
Crypto Map "vpnprof-head-1" 65539 IPsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 172.17.0.12
Extended IP access list
access-list permit gre host 172.16.0.11 host 172.16.0.12
Current peer: 172.17.0.12
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
trans2,
}
Interfaces using crypto map vpnprof-head-1:
Tunnel1
Tunnel0

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

167
Sharing IPsec with Tunnel Protection
Spoke 1 Output

Note All three crypto sessions are shown under each tunnel interface (three entries, twice) in the show crypto IPsec
sa command output, because both interfaces are mapped to the same IPsec SADB, which has three entries.
This duplication of output is expected in this case.

Spoke1# show crypto IPsec sa

interface: Tunnel0
Crypto map tag: vpnprof-head-1, local addr 172.16.0.11
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.11/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/47/0)
current_peer 172.16.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 134, #pkts encrypt: 134, #pkts digest: 134
#pkts decaps: 118, #pkts decrypt: 118, #pkts verify: 118
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 22, #recv errors 0
local crypto endpt.: 172.16.0.11, remote crypto endpt.: 172.16.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xA75421B1(2807308721)
inbound esp sas:
spi: 0x96185188(2518176136)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4569747/3242)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA75421B1(2807308721)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: SW:4, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4569745/3242)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.11/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.0.5/255.255.255.255/47/0)
current_peer 172.16.0.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 244, #pkts encrypt: 244, #pkts digest: 244
#pkts decaps: 253, #pkts decrypt: 253, #pkts verify: 253
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.16.0.11, remote crypto endpt.: 172.16.0.5
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x3C50B3AB(1011921835)
inbound esp sas:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

168
Sharing IPsec with Tunnel Protection
Spoke 1 Output

spi: 0x3EBE84EF(1052673263)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: SW:1, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4549326/2779)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3C50B3AB(1011921835)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: SW:2, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4549327/2779)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.11/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.0.12/255.255.255.255/47/0)
current_peer 172.16.0.12 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.0.11, remote crypto endpt.: 172.16.0.12
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x38C04B36(952126262)
inbound esp sas:
spi: 0xA2EC557(170837335)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 5, flow_id: SW:5, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4515510/3395)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x38C04B36(952126262)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 6, flow_id: SW:6, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4515511/3395)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Tunnel1
Crypto map tag: vpnprof-head-1, local addr 172.16.0.11
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.11/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/47/0)
current_peer 172.16.0.1 port 500
PERMIT, flags={origin_is_acl,}

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

169
Sharing IPsec with Tunnel Protection
Spoke 1 Output

#pkts encaps: 134, #pkts encrypt: 134, #pkts digest: 134

#pkts decaps: 118, #pkts decrypt: 118, #pkts verify: 118
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 22, #recv errors 0
local crypto endpt.: 172.16.0.11, remote crypto endpt.: 172.16.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xA75421B1(2807308721)
inbound esp sas:
spi: 0x96185188(2518176136)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4569747/3242)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA75421B1(2807308721)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: SW:4, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4569745/3242)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.11/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.0.5/255.255.255.255/47/0)
current_peer 172.16.0.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 244, #pkts encrypt: 244, #pkts digest: 244
#pkts decaps: 253, #pkts decrypt: 253, #pkts verify: 253
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.16.0.11, remote crypto endpt.: 172.16.0.5
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x3C50B3AB(1011921835)
inbound esp sas:
spi: 0x3EBE84EF(1052673263)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: SW:1, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4549326/2779)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3C50B3AB(1011921835)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: SW:2, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4549327/2779)
IV size: 16 bytes
replay detection support: Y

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

170
Sharing IPsec with Tunnel Protection
Additional References for Sharing IPsec with Tunnel Protection

Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.11/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.0.12/255.255.255.255/47/0)
current_peer 172.16.0.12 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.0.11, remote crypto endpt.: 172.16.0.12
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x38C04B36(952126262)
inbound esp sas:
spi: 0xA2EC557(170837335)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 5, flow_id: SW:5, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4515510/3395)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x38C04B36(952126262)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 6, flow_id: SW:6, crypto map: vpnprof-head-1
sa timing: remaining key lifetime (k/sec): (4515511/3395)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Spoke1#

Additional References for Sharing IPsec with Tunnel Protection

Security commands • Cisco IOS Security Command Reference Commands A to C

• Cisco IOS Security Command Reference Commands D to L
• Cisco IOS Security Command Reference Commands M to R
• Cisco IOS Security Command Reference Commands S to Z

Configuring DMVPN Dynamic Multipoint VPN (DMVPN)

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

171
Sharing IPsec with Tunnel Protection
Feature Information for Sharing IPsec with Tunnel Protection

Recommended cryptographic algorithms Next Generation Encryption

Standards and RFCs

Standard/RFC Title

RFC 2401 Security Architecture for the Internet Protocol

RFC 2547 BGP/MPLS VPNs

RFC 2784 Generic Routing Encapsulation (GRE)

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Feature Information for Sharing IPsec with Tunnel Protection

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

172
Sharing IPsec with Tunnel Protection
Glossary

Table 19: Feature Information for Sharing IPsec with Tunnel Protection

Feature Name Releases Feature Information

Sharing IPsec 12.4(15)T The Sharing IPsec with Tunnel Protection feature allows sharing an IPsec
with Tunnel security association database (SADB) between two or more generic routing
Protection encapsulation (GRE) tunnel interfaces when tunnel protection is used. Shared
tunnel interfaces have a single underlying cryptographic SADB, cryptographic
map, and IPsec profile in the Dynamic Multipoint Virtual Private Network
(DMVPN) configuration.
The Sharing IPsec with Tunnel Protection feature is required in some DMVPN
configurations. If IPsec SA sessions are not shared within the same IPsec
SADB, an IPsec SA may be associated with the wrong IPsec SADB and
therefore with the wrong tunnel interface, thereby causing duplicate IPsec
security associations (SAs) and tunnel interfaces to flap, which in turn results
in network connectivity problems.
The following command was introduced or modified: tunnel protection IPsec
profile.

Glossary
GRE—generic routing encapsulation. Tunnels that provide a specific pathway across the shared WAN and
encapsulate traffic with new packet headers to ensure delivery to specific destinations. The network is private
because traffic can enter a tunnel only at an endpoint. Tunnels do not provide true confidentiality (encryption
does) but can carry encrypted traffic.
GRE tunneling can also be used to encapsulate non-IP traffic into IP and send it over the Internet or IP network.
The Internet Package Exchange (IPX) and AppleTalk protocols are examples of non-IP traffic.
IKE—Internet Key Exchange. A hybrid protocol that implements Oakley key exchange and Skeme key
exchange inside the ISAKMP framework. Although IKE can be used with other protocols, its initial
implementation is with IPsec. IKE provides authentication of the IPsec peers, negotiates IPsec keys, and
negotiates IPsec security associations.
IPsec—IP security. A framework of open standards developed by the Internet Engineering Task Force (IETF).
IPsec provides security for transmission of sensitive information over unprotected networks such as the
Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec
peers, such as Cisco routers.
ISAKMP—Internet Security Association Key Management Protocol. A protocol framework that defines
payload formats, the mechanics of implementing a key exchange protocol, and the negotiation of a security
association.
NHRP—Next Hop Resolution Protocol. A protocol that routers, access servers, and hosts can use to discover
the addresses of other routers and hosts connected to an NBMA network.
The Cisco implementation of NHRP supports the IETF draft version 11 of NBMA NHRP.
The Cisco implementation of NHRP supports IP Version 4, Internet Packet Exchange (IPX) network layers,
and, at the link layer, ATM, Ethernet, SMDS, and multipoint tunnel networks. Although NHRP is available
on Ethernet, NHRP need not be implemented over Ethernet media because Ethernet is capable of broadcasting.
Ethernet support is unnecessary (and not provided) for IPX.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

173
Sharing IPsec with Tunnel Protection
Glossary

SA—security association. Describes how two or more entities use security services to communicate securely.
For example, an IPsec SA defines the encryption algorithm (if used), the authentication algorithm, and the
shared session key to be used during the IPsec connection.
Both IPsec and IKE require and use SAs to identify the parameters of their connections. IKE can negotiate
and establish its own SA. The IPsec SA is established either by IKE or by manual user configuration.
transform—List of operations performed on a data flow to provide data authentication, data confidentiality,
and data compression. An example of a transform is the ESP with the 256-bit AES encryption algorithm and
the AH protocol with the HMAC-SHA authentication algorithm.
tunnel—In the context of this module, a secure communication path between two peers, such as two routers.
It does not refer to using IPsec in tunnel mode.
VPN—Virtual Private Network. A framework that consists of multiple peers transmitting private data securely
to one another over an otherwise public infrastructure. In this framework, inbound and outbound network
traffic is protected using protocols that tunnel and encrypt all data. This framework permits networks to extend
beyond their local topology, while remote users are provided with the appearance and functionality of a direct
network connection.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

174
CHAPTER 12
DMVPN NHRP Event Publisher
The DMVPN: NHRP Event Publisher feature allows you to publish Next Hop Resolution Protocol (NHRP)
specific events to the Event Detector (ED). NHRP publishes NHRP events with data to the NHRP-ED handler.
The DMVPN: NHRP Event Publisher feature enhances Dynamic Multipoint VPN (DMVPN) with the capability
to control the building of dynamic spoke-to-spoke tunnels. This feature also optimizes the conditions under
which spokes build dynamic tunnels with each other. It also integrates Embedded Event Manager (EEM) with
NHRP and leverages EEM scripts to influence the behavior of NHRP. In this feature, the only event that is
supported is the capability to build dynamic spoke-to-spoke tunnels.
• Finding Feature Information, on page 175
• Prerequisites for DMVPN NHRP Event Publisher, on page 175
• Restrictions for DMVPN NHRP Event Publisher, on page 176
• Information About DMVPN NHRP Event Publisher, on page 176
• How to Configure DMVPN NHRP Event Publisher, on page 178
• Configuration Examples for DMVPN NHRP Event Publisher, on page 180
• Additional References, on page 180
• Feature Information for DMVPN NHRP Event Publisher, on page 181

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. To find information
about the features documented in this module, and to see a list of the releases in which each feature is supported,
see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn . An account on Cisco.com is not required.

Prerequisites for DMVPN NHRP Event Publisher

You need to use the nhrpevent-publishermax-event-timeout command to turn on the DMVPN: NHRP
Event Publisher feature. For information on DMVPN configuration, see Configuring Dynamic Multipoint
VPN . For information on NHRP configuration, see Configuring NHRP .

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

175
DMVPN NHRP Event Publisher
Restrictions for DMVPN NHRP Event Publisher

Restrictions for DMVPN NHRP Event Publisher

You cannot manually configure spoke-to-spoke tunneling with this feature. You can only build dynamic
spoke-to-spoke tunnels.

Information About DMVPN NHRP Event Publisher

Dynamic Spoke-to-Spoke Tunnels
Spoke-to-spoke tunnels are designed to be dynamic, in that they are created only when there is data traffic
that uses the tunnel; and they are removed when there is no data traffic using the tunnel.
In addition to NHRP registration of next hop clients (NHCs) with next hop servers (NHSs), NHRP provides
the capability for NHCs (spokes) to find a shortcut path over the infrastructure of the network (IP network,
Switched Multimegabit Data Service [SMDS]) or to build a shortcut switched virtual circuit (SVC) over a
switched infrastructure network (Frame Relay and ATM) directly to another NHC (spoke), bypassing hops
through the NHSs (hubs). This capability allows the building of very large NHRP-NBMA networks. In this
way, the bandwidth and CPU limitations of the hub do not limit the overall bandwidth of the NHRP-NBMA
network. This capability effectively creates a full-mesh-capable network without having to discover all possible
connections beforehand. This type of network is called a dynamic-mesh network, where there is a base
hub-and-spoke network of NHCs and NHSs. The network of NHCs and NHSs is used for transporting NHRP,
dynamic routing protocol information, data traffic, and dynamic direct spoke-to-spoke links. The spoke-to-spoke
links are built when there is data traffic to use the link, and the spoke-to-spoke links are torn down when the
data traffic stops.
The dynamic-mesh network allows individual spoke routers to directly connect to anywhere in the NBMA
network, even though they are capable of connecting only to a limited number at the same time. This
functionality allows each spoke in the network to participate in the whole network up to its capabilities without
limiting another spoke from participating up to its capability. If a full-mesh network were to be built, all spokes
would have to be sized to handle all possible tunnels at the same time.
For example, in a network of 1000 nodes, a full-mesh spoke would need to be large and powerful because it
must always support 999 tunnels (one to every other node). In a dynamic-mesh network, a spoke needs to
support only a limited number of tunnels to its NHSs (hubs) plus any currently active tunnels to other spokes.
Also, if a spoke cannot build more spoke-to-spoke tunnels, it will send its data traffic by way of the
spoke-hub-spoke path. This design ensures that connectivity is always preserved, even when the preferred
single hop path is not available.

DMVPN NHRP Event Publisher

Currently DMVPN establishes a direct spoke-to-spoke tunnel with shortcut switching enabled on the spoke
and NHRP redirect on the hub, without performing any additional checks before establishing traffic on the
tunnel. This direct spoke-to-spoke tunnel may not be the best path as there could be other alternative best
paths available for this traffic.
The DMVPN: NHRP Event Publisher feature performs additional checks before establishing the spoke-to-spoke
tunnel and sending traffic on the tunnel. This feature helps the administrator to decide about the local policies
and attributes while building the tunnel. This prevents known bad network connections based on local history

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

176
DMVPN NHRP Event Publisher
Embedded Event Manager

or centralized information. It also reduces the administrative overhead by monitoring available resources and
selecting the best options.

Embedded Event Manager

Embedded Event Manager (EEM) is a powerful and flexible subsystem in Cisco IOS software that provides
real-time network event detection and onboard automation. Using EEM, you can adapt the behavior of your
network devices to align with your business needs. EEM is available on a wide range of Cisco platforms, and
customers can benefit from the capabilities of EEM without upgrading to a new version of IOS.
EEM supports over 20 event detectors that are integrated with different Cisco IOS components to trigger
actions in response to network events. Business logic can be injected into various networking operations using
EEM policies. These policies are programmed using either a simple CLI-based interface or a scripting language
called Tool Command Language (TCL). EEM harnesses the significant intelligence within Cisco devices to
enable creative solutions including automated troubleshooting, automatic fault detection and troubleshooting,
and device configuration automation.
EEM is implemented through the creation of policies. An EEM policy is an entity that defines an event and
the actions to be taken when that event occurs. There are two types of EEM policies: an applet and a script.
An applet is a simple form of policy that is defined within the CLI configuration. A script is a form of policy
that is written in TCL. When an EEM policy is registered with the EEM, the software examines the policy
and registers it to be run when the specified event occurs. Policies can be unregistered or suspended.
The following tasks are required to create an EEM policy:
• Selecting the event for which the policy is run.
• Defining the Event Detector (ED) options associated with logging and responding to the event.
• Defining the environment variables, if required.
• Choosing the actions to be performed when the event occurs.

NHRP Event Publishing Flow

When a local spoke sends a resolution request to a remote spoke, the remote spoke triggers the EEM. The
EEM decides whether to connect to or reject the request. If the EEM agrees to connect, the remote spoke
builds the tunnel and sends the resolution reply through the tunnel.
Making NHRP be the ED helps define your own events, and the application can create and publish these
events. On the remote spoke, the TCL scripts can subscribe to these events. The published events are sent to
the subscribed TCL scripts. NHRP events are published to the NHRP-ED handler. The event information is
copied to the XML buffer, and the NHRP-ED publishes this buffer to the EEM server. The event subscriber
(TCL scripts from the remote spoke) receives and registers the event request so that the remote spoke is
notified when the event is published. The TCL script replies to NHRP with the ipnhrpconnectreqidor
ipnhrprejectreqidcommand. The ipnhrpconnectreqid command enables the spoke to initiate a resolution
reply for the received request to build a shortcut tunnel. The ipnhrprejectreqid command prevents the spoke
from initiating the resolution reply for the received request.
The ipnhrpconnectreqid command invokes connect registry callback as an action to trigger the resolution
reply. The remote spoke either builds the spoke-to-spoke tunnel and sends the resolution reply within the
tunnel or sends the resolution reply with the policy attributes through the hub. If the resolution reply is sent
through the hub, the spoke receiving the resolution reply builds the spoke-to-spoke tunnel.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

177
DMVPN NHRP Event Publisher
How to Configure DMVPN NHRP Event Publisher

When the TCL script responds with the ipnhrprejectreqid command, the remote spoke does not build the
spoke-to-spoke tunnel. It sends the NHRP resolution NAK message with a reject time value and subnet mask
to the local spoke through the hub.
The following sequence lists the NHRP event flow:
1. An NHRP event registers with the NHRP-ED.
2. The application creates an event definition.
3. A TCL script subscribes for NHRP event receipt asking that the script’s callback routine be invoked when
the event is published.
4. The NHRP ED detects an event and contacts the EEM at the remote spoke.
5. The EEM schedules the event processing calling the application’s callback handler routine.
6. The TCL script returns the callback routine.

How to Configure DMVPN NHRP Event Publisher

SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. tunnel mode gre multipoint
5. tunnel key key-number
6. ip nhrp network-id number
7. ip nhrp attribute set isp-name value
8. nhrp event timer
9. end
10. show ipv6 nhrp attribute
11. show ip nhrp attribute
12. show dmvpn detail
13. debug nhrp attribute
14. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

178
DMVPN NHRP Event Publisher
How to Configure DMVPN NHRP Event Publisher

Command or Action Purpose

Router# configure terminal

Step 3 interface type number Configures an interface and enters interface configuration
mode.
Example:

Router(config)# interface tunnel 100

Step 4 tunnel mode gre multipoint Enables a GRE tunnel to be used in multipoint NBMA
mode.
Example:

Router(config-if)# tunnel mode gre multipoint

Step 5 tunnel key key-number (Optional) Sets the tunnel ID key.

Example:

Router(config-if)# tunnel key 3

Step 6 ip nhrp network-id number Enables NHRP on the interface.

Example:

Router(config-if)# ip nhrp network-id 1

Step 7 ip nhrp attribute set isp-name value Sets the local policy attributes that are carried in NHRP
resolution requests.
Example:

Router(config-if)# ip nhrp attribute set isp-name

200

Step 8 nhrp event timer Publishes an NHRP event with the attributes to EEM.
Example:

Router(config-if)# nhrp event timer

Step 9 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:

Router(config-if)# end

Step 10 show ipv6 nhrp attribute Displays the IPv6 NHRP attributes configured on the
spoke.
Example:

Router# show ipv6 nhrp attribute

Step 11 show ip nhrp attribute Displays the IP NHRP attributes configured on the spoke.
Example:

Router# show ip nhrp attribute

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

179
DMVPN NHRP Event Publisher
Configuration Examples for DMVPN NHRP Event Publisher

Command or Action Purpose

Step 12 show dmvpn detail Displays DMVPN-specific session information.
Example:

Router# show dmvpn detail

Step 13 debug nhrp attribute Enables NHRP debugging.

Example:

Router# debug nhrp attribute

Step 14 exit Exits privileged EXEC mode.

Example:

Router# exit

What to do next

Configuration Examples for DMVPN NHRP Event Publisher

Example Configuring DMVPN NHRP Event Publisher
The following is a sample configuration of the DMVPN: NHRP Event Publisher feature:

interface tunnel 100

tunnel mode gre multipoint
tunnel key 3
ip nhrp network-id 1
ip nhrp attribute set isp-name 200
nhrp event timer
end
show ip nhrp attribute
show dmvpn detail
debug nhrp attribute

Additional References
Related Documents

Configuring Dynamic Multipoint VPN Configuring Dynamic Multipoint VPN

Configuring NHRP Configuring NHRP

NHRP commands Cisco IOS IP Addressing Services Command Reference

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

180
DMVPN NHRP Event Publisher
Feature Information for DMVPN NHRP Event Publisher

RFCs

RFC Title

RFC NBMA Next Hop Resolution Protocol (NHRP)

2332

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Feature Information for DMVPN NHRP Event Publisher

The following table lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco
Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a
specific software release, feature set, or platform. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note The following table lists only the Cisco IOS software release that introduced support for a given feature in a
given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software
release train also support that feature.

Table 20: Feature Information for DMVPN: NHRP Event Publisher

Feature Name Releases Feature Information

DMVPN: NHRP 15.2(2)T The DMVPN: NHRP Event Publisher feature allows you to publish NHRP
Event Publisher specific events to the ED. This feature enhances DMVPN with the
capability to control the ability to build dynamic spoke-to-spoke tunnels.
This feature also optimizes the conditions under which spokes build
dynamic tunnels with each other. It also integrates EEM with NHRP.
The following commands were introduced or modified: ipnhrpconnect,
ipnhrpreject, showipnrhpattribute, showipv6nhrpattribute.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

181
DMVPN NHRP Event Publisher
Feature Information for DMVPN NHRP Event Publisher

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

182
CHAPTER 13
Configuring TrustSec DMVPN Inline Tagging
Support
The TrustSec DMVPN Inline Tagging Support feature enables IPsec to carry the Cisco TrustSec (CTS)
Security Group Tag (SGT) between IPsec peers.
• Finding Feature Information, on page 183
• Prerequisites for Configuring TrustSec DMVPN Inline Tagging Support, on page 183
• Restrictions for Configuring TrustSec DMVPN Inline Tagging Support, on page 184
• Information About Configuring TrustSec DMVPN Inline Tagging Support, on page 184
• How to Configure TrustSec DMVPN Inline Tagging Support, on page 187
• Configuration Examples for TrustSec DMVPN Inline Tagging Support, on page 190
• Additional References for TrustSec DMVPN Inline Tagging Support, on page 194
• Feature Information for TrustSec DMVPN Inline Tagging Support, on page 195

Finding Feature Information

Prerequisites for Configuring TrustSec DMVPN Inline Tagging

Support
Internet Key Exchange Version 2 (IKEv2) and IPsec must be configured on the router. For more information,
see the “Configuring Internet Key Exchange Version 2 and FlexVPN Site-to-Site” and “Configuring Security
for VPNs with IPsec” modules.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

183
Configuring TrustSec DMVPN Inline Tagging Support
Restrictions for Configuring TrustSec DMVPN Inline Tagging Support

Restrictions for Configuring TrustSec DMVPN Inline Tagging

Support
The TrustSec DMVPN Inline Tagging Support feature via IKEv2 supports the following:
• Dynamic Virtual Tunnel Interface (dVTI)
• GRE with Tunnel Protection
• Site-to-site VPNs
• Static crypto maps
• Static Virtual Tunnel Interface (sVTI)

The TrustSec DMVPN Inline Tagging Support feature does not support the following:
• Cisco AnyConnect
• Cisco VPNClient
• DMVPN with IKEv1
• EasyVPN
• FlexVPN
• GetVPN
• IKEv1 IPsec methods
• SSLVPN

crypto ikev2 cts sgt and cts sgt inline commands on tunnel are two different features. Do not configure these
two features together as it causes the packets getting tagged twice.
cts sgt inline command does not rely on crypto or IKEv2. It can be configured statically or by NHRP. cts sgt
inline command works with DMVPN IPSEC tunnel and also in transport mode.
The TrustSec DMVPN Inline Tagging Support feature via the cts sgt inline command is supported on all
combinations of DMVPN (IKEv1, IKEv2, non-crypto, crypto accelerators such as ISM-VPN, point-to-point,
multipoint) except when running MPLS (as an MPLS cloud extension or as MPLS L3VPN) over DMVPN.

Information About Configuring TrustSec DMVPN Inline Tagging

Support
Cisco TrustSec
The Cisco TrustSec (CTS) architecture helps to build secure networks by establishing a domain of trusted
network devices by combining identity, trust, and policy to protect user transactions and enforce role-based
policies. CTS uses the user and the device identification information acquired during the authentication phase

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

184
Configuring TrustSec DMVPN Inline Tagging Support
SGT and IPsec

to classify packets as they enter the network. CTS maintains a classification of each packet by tagging packets
on ingress to the CTS network so that they can be properly identified for applying security and other policy
criteria along the data path. The packets or frames are tagged using the Security Group Tag (SGT), which
allows network intermediaries such as switches and firewalls, to enforce an access control policy based on
the classification.
The IPsec Inline Tagging for TrustSec feature is used to propagate the SGT to other network devices.

Note If this feature is not supported, you can use the SGT Exchange Protocol over TCP (SXP) feature.

For more information on CTS and SXP, see the Cisco TrustSec Switch Configuration Guide .

SGT and IPsec

IPsec uses the IKE protocol for negotiating algorithms, keys, and capabilities. IKEv2 is used to negotiate and
inform IPsec about the SGT capability. Once the peers acknowledge the SGT tagging capability, an SGT tag
number (a 16-bit) is added as the SGT Cisco Meta Data (CMD) payload into IPsec and sent to the receiving
peer.
The access layer device authenticates the incoming packets. The access layer device receives an SGT from
the authentication server and assigns the SGT along with an IP address to the incoming packets. In other
words, an IP address is bound to an SGT. This IP address/SGT binding is propagated to upstream devices to
enforce SGT-based policy and inline tagging.
If IKEv2 is configured to negotiate the SGT capability in the initiator, the initiator proposes the SGT capability
information in the SA_INIT request. If IKEv2 is configured to negotiate the SGT capability in the responder,
the responder acknowledges in the SA_INIT response and the initiator and the responder inform IPsec to use
inline tagging for all packets to the peer.
During egress, IPsec adds the SGT capability and prefixes to the IPsec payload if the peer supports inline
tagging; otherwise the packet is not tagged.
During ingress, IPsec inspects the packet for the SGT capability. If a tag is available, IPsec extracts the tag
information and passes the information to the device only if inline tagging is negotiated. If there is no tag,
IPsec processes the packet as a normal packet.
The tables below describe how IPsec behaves during egress and ingress.

Table 21: IPsec Behavior on the Egress Path

Inline Tagging Negotiated CTS Provides SGT IPsec Behavior

Yes Yes An SGT CMD is added to the packet.

Yes No The packet is sent without the SGT CMD.

No Yes or no The packet is sent without the SGT CMD.

Table 22: IPsec Behavior on the Ingress Path

Packet Is Tagged Inline Tagging Negotiated IPsec Behavior

Yes Yes The SGT CMD in the packet is processed.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

185
Configuring TrustSec DMVPN Inline Tagging Support
SGT on the IKEv2 Initiator and Responder

Packet Is Tagged Inline Tagging Negotiated IPsec Behavior

Yes No The SGT CMD in the packet is not processed.

No Yes or no The packet is processed as a normal IPsec packet.

SGT on the IKEv2 Initiator and Responder

To enable SGT on an IKEv2 session, the SGT capability support must be sent to the peers using the crypto
ikev2 cts command. SGT is a Cisco proprietary capability; hence, it is sent as a Vendor ID (VID) payload in
the SA_INIT exchange.
The table below explains the scenarios when SGT capability is configured on the initiator and the responder:

Table 23: SGT Capability on IKEv2 Initiator and Responder

SGT Enabled on SGT Enabled on What Happens . . .

Initiator Responder

Yes Yes The VID is exchanged between the initiator and the responder, and
IPsec SA is enabled with the SGT inline tagging capability.

Yes No The initiator proposes the VID, but the responder ignores the VID.
IPsec SA is not enabled with the SGT inline tagging capability.

No Yes The initiator does not propose the VID, and the responder does not
send the VID payload. IPsec SA is not enabled with the SGT inline
tagging capability.

No No The initiator does not propose the VID, and responder also does not
send the VID payload. IPsec SA is not enabled with the SGT inline
tagging capability.

Handling Fragmentation
Fragmentation is handled in the following two ways:
• Fragmentation before IPsec—If IPsec receives fragmented packets, each fragment is tagged.
• Fragmentation after IPsec—If IPsec packets are fragmented after encryption, the first fragment will be
tagged.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

186
Configuring TrustSec DMVPN Inline Tagging Support
How to Configure TrustSec DMVPN Inline Tagging Support

How to Configure TrustSec DMVPN Inline Tagging Support

Enabling IPsec Inline Tagging
SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel tunnel id
4. cts sgt inline
5. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 interface tunnel tunnel id Specifies a tunnel interface number, and enters interface
configuration mode.
Example:
Device(config)# interface tunnel 1

Step 4 cts sgt inline Enables TrustSec on DMVPN. This command is valid for
generic routing encapsulation (GRE) and to tunnel interfaces
Example:
modes only.
Device(config-if)# cts sgt inline

Step 5 exit Exits global configuration mode.

Example:
Device(config)# exit

Monitoring and Verifying TrustSec DMVPN Inline Tagging Support

To monitor and verify the TrustSec DMVPN Inline Tagging Support configuration, perform the following
steps.

SUMMARY STEPS
1. enable
2. show dmvpn

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

187
Configuring TrustSec DMVPN Inline Tagging Support
Monitoring and Verifying TrustSec DMVPN Inline Tagging Support

3. show ip nhrp nhs detail

4. show tunnel endpoints
5. show adjacency interface-type interface-number detail

DETAILED STEPS

Step 1 enable
Example:
Device> enable

Enables privileged EXEC mode.

Step 2 show dmvpn
Example:
Device# show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details

Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 1.1.1.99 10.1.1.99 UP 00:00:01 SC

Use this command to display Dynamic Multipoint VPN (DMVPN)-specific session information.
Step 3 show ip nhrp nhs detail
Example:
Device# show ip nhrp nhs detail

Legend: E=Expecting replies, R=Responding, W=Waiting

Tunnel0:
10.1.1.99 RE NBMA Address: 1.1.1.99 priority = 0 cluster = 0 req-sent 44 req-failed 0 repl-recv
43 (00:01:37 ago)
TrustSec Enabled

Use this command to display Next Hop Resolution Protocol (NHRP) next hop server (NHS) information.
Step 4 show tunnel endpoints
Example:
Device# show tunnel endpoints

Tunnel0 running in multi-GRE/IP mode

Endpoint transport 1.1.1.99 Refcount 3 Base 0xF3FB79B4 Create Time 00:03:15

overlay 10.1.1.99 Refcount 2 Parent 0xF3FB79B4 Create Time 00:03:15
Tunnel Subblocks:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

188
Configuring TrustSec DMVPN Inline Tagging Support
Enabling IPsec Inline Tagging on IKEv2 Networks

tunnel-nhrp-sb:
NHRP subblock has 1 entries; TrustSec enabled

Use this command to display the contents of the tunnel endpoint database that is used for tunnel endpoint address resolution,
when running a tunnel in multipoint generic routing encapsulation (mGRE) mode.
Step 5 show adjacency interface-type interface-number detail
Example:
Device# show adjaceny tunnel0 detail

Protocol Interface Address

IP Tunnel0 10.1.1.99(2)
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 1
Encap length 32
4500000000000000FF2FB76901010101
01010163000089090800010100010000
Tun endpt
Next chain element:
.
.
.

Use this command to display information about the protocol.

Enabling IPsec Inline Tagging on IKEv2 Networks

Configuring the cts sgt inline and crypto ikev2 cts sgt commands results in the packets getting tagged twice
- once each by each command.

Before you begin

IKEv2 and IPsec must be configured.

SUMMARY STEPS
1. enable
2. configure terminal
3. crypto ikev2 cts sgt
4. exit

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

189
Configuring TrustSec DMVPN Inline Tagging Support
Configuration Examples for TrustSec DMVPN Inline Tagging Support

Command or Action Purpose

Device# configure terminal

Step 3 crypto ikev2 cts sgt Enables TrustSec on DMVPN on IKEv2 networks. This
command is valid for generic routing encapsulation (GRE)
Example:
and to tunnel interfaces modes only.
Device(config)# crypto ikev2 cts sgt

Step 4 exit Exits global configuration mode.

Example:
Device(config)# exit

Configuration Examples for TrustSec DMVPN Inline Tagging

Support
Example: Enabling IPsec Inline Tagging on IKEv2 Networks
Static VTI Initiator Configuration
The following example shows how to enable IPsec inline tagging on a static VTI initiator. You can use this
configuration for configuring crypto maps and VTIs.
crypto ikev2 proposal p1
encryption 3des
integrity md5
group 2
!
crypto ikev2 policy policy1
proposal p1
!
crypto ikev2 keyring key
peer peer
address ::/0
pre-shared-key cisco
!
peer v4
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof3
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring key
!
crypto ikev2 cts sgt
!
crypto ipsec transform-set trans esp-3des esp-sha-hmac
!
crypto map cmap 1 ipsec-isakmp
set peer 10.1.1.2
set transform-set trans

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

190
Configuring TrustSec DMVPN Inline Tagging Support
Example: Enabling IPsec Inline Tagging on IKEv2 Networks

set ikev2-profile prof3

match address ipv4acl
!
!
interface Loopback1
ip address 209.165.201.1 255.255.255.224
ipv6 address 2001::4:1/112
!
interface Loopback2
ip address 209.165.200.1 255.255.255.224
ipv6 address 2001::40:1/112
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.210.74 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 172.16.0.1 255.240.0.0
duplex auto
speed auto
ipv6 address 2001::5:1/112
ipv6 enable
crypto map cmap
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.0.2
ip route 10.12.255.200 255.0.0.0 172.31.255.254
!
ip access-list extended ipv4acl
permit ip host 209.165.201.1host 192.168.12.125
permit ip host 209.165.200.1 host 172.18.0.1
permit ip host 172.28.0.1 host 10.10.10.1
permit ip host 10.12.255.200 host 192.168.14.1
!
logging esm config
ipv6 route ::/0 2001::5:2
!
!
!
!
!!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

191
Configuring TrustSec DMVPN Inline Tagging Support
Example: Enabling IPsec Inline Tagging on IKEv2 Networks

line vty 0 4
login
transport input all
!
exception data-corruption buffer truncate
scheduler allocate 20000 1000

Dynamic VTI Responder Configuration

The following example shows how to enable IPsec inline tagging on a dynamic VTI responder. You can use
this configuration for configuring crypto maps and VTIs.
crypto ikev2 proposal p1
encryption 3des
integrity md5
group 2
!
crypto ikev2 policy policy1
proposal p1
!
crypto ikev2 keyring key
peer peer
address 172.160.1.1 255.240.0.0
pre-shared-key cisco
!
peer v4_p2
address 172.31.255.1 255.240.0.0
pre-shared-key cisco
!
crypto ikev2 profile prof
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring key
virtual-template 25
!
crypto ikev2 cts sgt
!
crypto ipsec transform-set trans esp-null esp-sha-hmac
!
crypto ipsec profile prof_ipv4
set transform-set trans
set ikev2-profile prof1_ipv4
!
!
interface Loopback0
ip address 192.168.12.1 255.255.0.0
!
interface Loopback1
no ip address
!
interface Loopback2
ip address 172.18.0.1 255.240.0.0
!
interface Loopback10
no ip address
ipv6 address 2001::8:1/112
!
interface Loopback11
no ip address
ipv6 address 2001::80:1/112
!
interface Embedded-Service-Engine0/0
no ip address

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

192
Configuring TrustSec DMVPN Inline Tagging Support
Example: Enabling IPsec Inline Tagging on IKEv2 Networks

shutdown
!
interface GigabitEthernet0/0
ip address 10.1.1.2 255.0.0.0
duplex auto
speed auto
ipv6 address 2001::7:1/112
ipv6 enable
!
interface GigabitEthernet0/1
ip address 10.10.10.2 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 192.168.210.144 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/0/0
no ip address
shutdown
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
!
!
interface Virtual-Template25 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile prof_ipv4
!
interface Vlan1
no ip address
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 172.17.0.0 255.240.0.0 10.10.10.1
!
logging esm config
ipv6 route ::/0 2001::7:2
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

193
Configuring TrustSec DMVPN Inline Tagging Support
Additional References for TrustSec DMVPN Inline Tagging Support

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
exception data-corruption buffer truncate
scheduler allocate 20000 1000
end

Additional References for TrustSec DMVPN Inline Tagging

Support
Related Documents

Security commands • Cisco IOS Security Command Reference Commands A to C

• Cisco IOS Security Command Reference Commands D to L
• Cisco IOS Security Command Reference Commands M to R
• Cisco IOS Security Command Reference Commands S to Z

Cisco TrustSec and SXP configuration Cisco TrustSec Switch Configuration Guide

IPsec configuration Configuring Security for VPNs with IPsec

IKEv2 configuration Configuring Internet Key Exchange Version 2 (IKEv2) and FlexVPN
Site-to-Site

Cisco Secure Access Control Server Configuration Guide for the Cisco Secure ACS

Technical Assistance

Description Link

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

194
Configuring TrustSec DMVPN Inline Tagging Support
Feature Information for TrustSec DMVPN Inline Tagging Support

Feature Information for TrustSec DMVPN Inline Tagging Support

Table 24: Feature Information for Configuring TrustSec DMVPN Inline Tagging Support

Feature Name Releases Feature Information

TrustSec DMVPN Inline The TrustSec DMVPN Inline Tagging Support feature enables IPsec
Tagging Support to carry Cisco Trust Sec (CTS) Security Group Tag (SGT) between
IPsec peers.
The following commands were introduced or modified: cts sgt inline,
show dmvpn, show ip nhrp nhs, show tunnel endpoints, show
adjacency.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

195
Configuring TrustSec DMVPN Inline Tagging Support
Feature Information for TrustSec DMVPN Inline Tagging Support

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

196
CHAPTER 14
Spoke-to-Spoke NHRP Summary Maps
The Spoke-to-Spoke NHRP Summary Maps feature summarizes and reduces the NHRP resolution traffic on
the network.
• Finding Feature Information, on page 197
• Information About Spoke-to-Spoke NHRP Summary Maps, on page 197
• How to Configure Spoke-to-Spoke NHRP Summary Maps, on page 199
• Configuration Examples for Spoke-to-Spoke NHRP Summary Maps, on page 203
• Additional References for Spoke-to-Spoke NHRP Summary Maps, on page 205
• Feature Information for Spoke-to-Spoke NHRP Summary Maps, on page 205

Finding Feature Information

Information About Spoke-to-Spoke NHRP Summary Maps

Spoke-to-Spoke NHRP Summary Maps
In DMVPN phase 3, route summarization is performed at a hub. The hub is the next-hop for any spoke to
reach any network behind a spoke. On receiving a packet, the hub sends a redirect message to a local spoke
and indicates the local spoke to send Next Hop Resolution Protocol (NHRP) resolution request for the
destination network. The resolution request is forwarded by the hub to a remote spoke with the destination
LAN network. The remote spoke responds to the resolution request and initiates a tunnel with the local spoke.
When a spoke answers an NHRP resolution request for a local host, it uses the explicit IP address network
and subnet mask from the Routing Information Base (RIB) in response. Multiple networks behind a local
spoke require similar NHRP messages for a host behind remote spoke to exchange packets with the hosts in
these networks. It is difficult to handle NHRP messages for a huge number of spokes and large networks
behind each spoke.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

197
Spoke-to-Spoke NHRP Summary Maps
Spoke-to-Spoke NHRP Summary Maps

The number of NHRP messages between spokes can be limited when the first NHRP resolution reply provides
information about the network behind a local spoke instead of a specific network. The spoke-to-spoke NHRP
summary map uses the configured IP address network and subnet mask in the NHRP resolution response
instead of the IP address network and subnet mask from RIB. If RIB has more number of IP address networks
(lesser subnet mask length) than the configured IP address network and subnet mask, the spoke still uses the
configured IP address network and subnet mask for NHRP resolution response thereby summarizing and
reducing the NHRP resolution traffic on the network. Use the ip nhrp summary-map command to configure
NHRP summary map on a spoke.

Note In DMVPN, it is recommended to configure a Rendezvous Point (RP) at or behind the hub. If there is an IP
multicast source behind a spoke, the ip pim spt-threshold infinity command must be configured on spokes
to avoid multicast traffic going through spoke-to-spoke tunnels.

How Spoke-to-Spoke NHRP Summary Maps Works

On receiving the resolution request, the spoke
1. Looks into the RIB for the IP address and subnet mask and returns.
2. Checks the IP address and subnet mask against the configured NHRP summary map and verifies if the
destination IP address is covered.
3. Sends the summary map in the NHRP resolution reply to the remote spoke and NHRP on the remote
spoke adds the IP address and subnet mask with the next-hop of the local spoke to the RIB.

The entire network behind the local spoke is identified to the remote spoke with one NHRP resolution request.
The following figure shows the working of spoke-to-spoke NHRP summary maps.
Figure 10: Spoke-to-Spoke NHRP Summary Maps

A local spoke with the address space 192.0.0.0/19 on its local LAN has all 32-24 RIB entries –
192.0.0.0/24,….192.0.31.0/24. When a routing protocol like EIGRP is used to advertise this local address
space, the routing protocol is configured to summarize the networks to 192.0.0.0/19 and advertise that to the
hub. The hub summarizes this further, to 192.0.0.0/16, when it advertises it to the other spokes. The other
spokes starts with only a 192.0.0.0/16 routing table entry with the next-hop of the hub in the RIB.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

198
Spoke-to-Spoke NHRP Summary Maps
NHRP Summary Map Support for IPv6 Overlay

If a remote host communicates with 192.0.12.1, the local spoke receives the NHRP resolution request for
192.0.12.1/32. it looks into the RIB and return 192.0.12.0/24 in NHRP resolution reply.
If the local spoke is configured with NHRP summary map for eg. "ip nhrp summary-map 192.0.0.0/19", the
local spoke upon receing the resolution request for 192.0.12.1 checks the RIB which return 192.0.12.0/24.
the local spoke then check for summary map configuration 192.0.0.0/19 and verifies if the destination
192.0.12.1/32 is covered and returns 192.0.0.0/19 in NHRP resolution reply.

NHRP Summary Map Support for IPv6 Overlay

Spoke-to-spoke NHRP summary maps feature is supported on IPv6 and is configured using ipv6 nhrp
summary-map command.

How to Configure Spoke-to-Spoke NHRP Summary Maps

Configuring Spoke-to-Spoke NHRP Summary Maps on Spoke

Note The following task can be performed to configure the spoke device.

SUMMARY STEPS
1. enable
2. configure terminal
3. interface tunnel number
4. ip address ip-address mask secondary ip-address mask
5. ip nhrp authentication string
6. ip nhrp summary-map {ip-address | mask}
7. ip nhrp network-id number
8. ip nhrp nhs [hub-tunnel-ip-address] nbma [hub-wan--ip] multicast
9. ip nhrp shortcut
10. tunnel source {ip-address | type number}
11. tunnel mode gre multipoint
12. tunnel key key-number
13. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

199
Spoke-to-Spoke NHRP Summary Maps
Configuring Spoke-to-Spoke NHRP Summary Maps on Spoke

Command or Action Purpose

Step 2 configure terminal Enters global configuration mode.
Example:

Device# configure terminal

Step 3 interface tunnel number Configures a tunnel interface and enters interface
configuration mode.
Example:
• number—Specifies the number of the tunnel interface
Device(config)# interface tunnel 5 that you want to create or configure. There is no limit
on the number of tunnel interfaces you can create.

Step 4 ip address ip-address mask secondary ip-address mask Sets a primary or secondary IP address for the tunnel
interface.
Example:
Note All hubs and spokes that are in the same
Device(config-if)# ip address 10.0.0.2 DMVPN network must be addressed in the
255.255.255.0 same IP subnet.

Step 5 ip nhrp authentication string Configures an authentication string for an interface using
NHRP.
Example:

Device(config-if)# ip nhrp authentication donttell

Step 6 ip nhrp summary-map {ip-address | mask} Summarizes and reduces the NHRP resolution traffic on
the network.
Example:

Device(config-if)# ip nhrp summary-map 10.0.0.0/24

Step 7 ip nhrp network-id number Enables NHRP on an interface.

Example: • number—Specifies a globally unique 32-bit network
identifier from a nonbroadcast multiaccess (NBMA)
Device(config-if)# ip nhrp network-id 99 network.

Step 8 ip nhrp nhs [hub-tunnel-ip-address] nbma [hub-wan--ip] Configures the hub router as the NHRP next-hop server.
multicast
Example:

Device(config-if)# ip nhrp nhs 10.0.0.1 nbma

172.17.0.1 multicast

Step 9 ip nhrp shortcut Enables NHRP shortcut switching.

Example:

Device(config-if)# ip nhrp shortcut

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

200
Spoke-to-Spoke NHRP Summary Maps
Verifying Spoke-to Spoke NHRP Summary Maps

Command or Action Purpose

Step 10 tunnel source {ip-address | type number} Sets the source address for a tunnel interface.
Example:

Device(config-if)# tunnel source Gigabitethernet

0/0/0

Step 11 tunnel mode gre multipoint Sets the encapsulation mode to Multiple Generic Routing
Encapsulation (mGRE) for the tunnel interface.
Example:
• Use this command if data traffic can use dynamic
Device(config-if)# tunnel mode gre multipoint spoke-to-spoke traffic.

Step 12 tunnel key key-number (Optional) Enables an ID key for a tunnel interface.
Example: • key-number—Specifies a number to identify a tunnel
key. This must be set to the same value on all hubs
Device(config-if)# tunnel key 100000 and spokes that are in the same DMVPN network.

Step 13 end Exits interface configuration mode and returns to privileged

EXEC mode.
Example:
Device(config-if)# end

Verifying Spoke-to Spoke NHRP Summary Maps

SUMMARY STEPS
1. enable
2. show ip nhrp

DETAILED STEPS

Step 1 enable
Example:

Device> enable

Enables privileged EXEC mode.

• Enter your password if prompted.

Step 2 show ip nhrp

Example:
The following is an example of show command output on spoke.

Device# show ip nhrp

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

201
Spoke-to-Spoke NHRP Summary Maps
Troubleshooting Spoke-to-Spoke NHRP Summary Maps

15.0.0.1/32 (vrf1) via 15.0.0.1

Tunnel3 created 09:09:00, never expire
Type: static, Flags: used
NBMA address: 123.0.0.1
15.0.0.20/32 (vrf1) via 15.0.0.20
Tunnel3 created 00:00:54, expire 00:04:05
Type: dynamic, Flags: router nhop rib
NBMA address: 42.0.0.1
190.0.0.0/22 (vrf1) via 15.0.0.10
Tunnel3 created 09:09:00, never expire
Type: static, Flags: local
NBMA address: 121.0.0.1
(no-socket)
201.0.0.0/22 (vrf1) via 15.0.0.20
Tunnel3 created 00:00:54, expire 00:04:05
Type: dynamic, Flags: router rib nho
NBMA address: 42.0.0.1

Displays Next Hop Resolution Protocol (NHRP) mapping information.

Troubleshooting Spoke-to-Spoke NHRP Summary Maps

SUMMARY STEPS
1. debug dmvpn all nhrp

DETAILED STEPS

debug dmvpn all nhrp

Checks the IP address and subnet mask received by the spoke for a resolution request.
Example:

Device# debug dmvpn all nhrp

NHRP-RT: Attempting to create instance PDB for vrf global(0x0)(0x0)

NHRP-CACHE: Tunnel0: Cache add for target 67.0.0.1/32 vrf global(0x0) label none next-hop 67.0.0.1

NHRP-CACHE: Tunnel0: Cache add for target 67.0.0.0/24 vrf global(0x0) label none next-hop 15.0.0.30
80.0.0.1
NHRP-CACHE: Inserted subblock node(2 now) for cache: Target 67.0.0.0/24 nhop 15.0.0.30
NHRP-CACHE: Converted internal dynamic cache entry for 67.0.0.0/24 interface Tunnel0 vrf global(0x0)
to external
NHRP-RT: Adding route entry for 67.0.0.0/24 (Tunnel0 vrf:global(0x0)) to RIB
NHRP-RT: Route addition to RIB Successful
NHRP-RT: Route watch started for 67.0.0.0/23
NHRP-CACHE: Updating label on Tunnel0 for 15.0.0.30 vrf global(0x0), old none new none nhop 15.0.0.30
NHRP-CACHE: Tunnel0: Cache update for target 15.0.0.30/32 vrf global(0x0) label none next-hop 15.0.0.30

80.0.0.1
NHRP-CACHE: Deleting incomplete entry for 67.0.0.1/32 interface Tunnel0 vrf global(0x0)
NHRP-CACHE: Still other cache entries with same overlay nhop 67.0.0.1
NHRP-RT: Received route watch notification for 67.0.0.0/24
NHRP-RT: Covering prefix is 67.0.0.0/22
NHRP-RT: Received route watch notification for 67.0.0.0/24

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

202
Spoke-to-Spoke NHRP Summary Maps
Configuration Examples for Spoke-to-Spoke NHRP Summary Maps

NHRP-RT: (0x0):NHRP RIB entry for 67.0.0.0/24 is unreachable

Configuration Examples for Spoke-to-Spoke NHRP Summary

Maps
Example: Spoke-to-Spoke NHRP Summary Maps

Example: Spoke-to-Spoke NHRP Summary Maps

The following is an example of configuring DMVPN phase 3 on hub for summary map .

interface Tunnel0
ip address 15.0.0.1 255.255.255.0
no ip redirects
no ip split-horizon eigrp 2
ip nhrp authentication cisco123
ip nhrp network-id 23
ip nhrp redirect
ip summary-address eigrp 2 190.0.0.0 255.255.252.0
ip summary-address eigrp 2 201.0.0.0 255.255.252.0
tunnel source GigabitEthernet1/0/0
tunnel mode gre multipoint
tunnel key 6
end

The following example shows how to configure spoke-to-spoke NHRP summary maps on spoke 1.

interface Tunnel0
vrf forwarding vrf1
ip address 15.0.0.10 255.255.255.0
ip nhrp authentication cisco123
ip nhrp summary-map 190.0.0.0/22
ip nhrp network-id 5
ip nhrp nhs 15.0.0.1 nbma 123.0.0.1 multicast
ip nhrp shortcut
tunnel source GigabitEthernet0/1/0
tunnel mode gre multipoint
tunnel key 6
end

The following example shows how to configure spoke-to-spoke NHRP summary maps on spoke 2.

interface Tunnel0
ip address 15.0.0.20 255.255.255.0
ip nhrp authentication cisco123
ip nhrp summary-map 201.0.0.0/22

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

203
Spoke-to-Spoke NHRP Summary Maps
Example: Spoke-to-Spoke NHRP Summary Maps

ip nhrp network-id 5
ip nhrp nhs 15.0.0.1 nbma 123.0.0.1 multicast
ip nhrp shortcut
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 6
end

The following is a sample output of the show ip nhrp command on the hub.

Device# show ip nhrp

15.0.0.10/32 via 15.0.0.10

Tunnel0 created 00:22:26, expire 00:07:35
Type: dynamic, Flags: registered used nhop
NBMA address: 41.0.0.1
15.0.0.20/32 via 15.0.0.20
Tunnel0 created 00:13:43, expire 00:09:36
Type: dynamic, Flags: registered used nhop
NBMA address: 42.0.0.1

The following is a sample output of the show ip nhrp command on spoke 1.

Device# show ip nhrp

15.0.0.1/32 (vrf1) via 15.0.0.1

The following is a sample output of the show ip nhrp command on spoke 2.

Device# show ip nhrp

15.0.0.1/32 via 15.0.0.1

Tunnel0 created 09:08:16, never expire
Type: static, Flags: used
NBMA address: 123.0.0.1
15.0.0.10/32 via 15.0.0.10
Tunnel0 created 00:00:04, expire 01:59:55
Type: dynamic, Flags: router nhop rib
NBMA address: 121.0.0.1
190.0.0.0/22 via 15.0.0.10
Tunnel0 created 00:00:04, expire 01:59:55
Type: dynamic, Flags: router rib nho
NBMA address: 121.0.0.1

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

204
Spoke-to-Spoke NHRP Summary Maps
Additional References for Spoke-to-Spoke NHRP Summary Maps

201.0.0.0/22 via 15.0.0.20

Tunnel0 created 09:08:16, never expire
Type: static, Flags: local
NBMA address: 42.0.0.1
(no-socket)

Additional References for Spoke-to-Spoke NHRP Summary

Maps
Related Documents

The Cisco Support and Documentation website provides http://www.cisco.com/cisco/web/support/index.html

Feature Information for Spoke-to-Spoke NHRP Summary Maps

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

205
Spoke-to-Spoke NHRP Summary Maps
Feature Information for Spoke-to-Spoke NHRP Summary Maps

Table 25: Feature Information for Spoke-to-Spoke NHRP Summary Maps

Feature Name Releases Feature Information

Spoke-to-Spoke NHRP The Spoke-to-Spoke Next Hop Resolution Protocol (NHRP)

Summary Maps Summary Maps feature summarizes and reduces the NHRP
resolution traffic on the network.
The following commands were introduced or modified by this
feature: ip nhrp summary-map, ipv6 summary-map.

Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T

206

Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
From Everand
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
Redouane MEDDANE
No ratings yet
Sample Motion To Admit
100% (1)
Sample Motion To Admit
2 pages
MS-24 Hydrotest Pipeline Procedure
100% (13)
MS-24 Hydrotest Pipeline Procedure
13 pages
Fundamentals of Digital Quadrature Modulation
100% (2)
Fundamentals of Digital Quadrature Modulation
5 pages
Commissioner Report
75% (4)
Commissioner Report
11 pages
PSC Checklist
No ratings yet
PSC Checklist
19 pages
Sec Conn DMVPN 15 MT Book
No ratings yet
Sec Conn DMVPN 15 MT Book
230 pages
DMVPN PDF
No ratings yet
DMVPN PDF
238 pages
Dokumen - Tips Dynamic Multipoint VPN Configuration Guide Cisco Ios Example Hub Configuration
No ratings yet
Dokumen - Tips Dynamic Multipoint VPN Configuration Guide Cisco Ios Example Hub Configuration
104 pages
Cisco Ios DMVPN: February 2008
100% (1)
Cisco Ios DMVPN: February 2008
46 pages
Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1)
No ratings yet
Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1)
100 pages
Dynamic Multipoint VPN: Finding Feature Information
No ratings yet
Dynamic Multipoint VPN: Finding Feature Information
50 pages
What Is DMVPN?: What Is DMVPN? Physical Connectivity: DMVPN Config: Ipsec: Dynamic Routing Verification: Acknowledgement
No ratings yet
What Is DMVPN?: What Is DMVPN? Physical Connectivity: DMVPN Config: Ipsec: Dynamic Routing Verification: Acknowledgement
5 pages
DMVPN
No ratings yet
DMVPN
29 pages
Configuring Cisco Dynamic Multipoint VPN (DMVPN) To Support Avaya Ip Telephony With Qos - Issue 1.0
No ratings yet
Configuring Cisco Dynamic Multipoint VPN (DMVPN) To Support Avaya Ip Telephony With Qos - Issue 1.0
32 pages
Advanced Concepts ofDMVPN (Dynamic Multipoint VPN) PDF
No ratings yet
Advanced Concepts ofDMVPN (Dynamic Multipoint VPN) PDF
230 pages
CiscoDataCenterCertificatione Guide 2017
No ratings yet
CiscoDataCenterCertificatione Guide 2017
40 pages
VPD Xe 16 6 Book
No ratings yet
VPD Xe 16 6 Book
260 pages
Cisco IOS VPDN Configuration Guide, Release 12.4
No ratings yet
Cisco IOS VPDN Configuration Guide, Release 12.4
296 pages
DMVPN Ezvpn Isakmp
No ratings yet
DMVPN Ezvpn Isakmp
17 pages
DMVPN Tutorial
No ratings yet
DMVPN Tutorial
7 pages
Implement DMVPN
No ratings yet
Implement DMVPN
3 pages
Imc MVPN Xe 16 Book
No ratings yet
Imc MVPN Xe 16 Book
160 pages
Advanced Ipsec Deployments and Concepts of DMVPN Networks: Session Sec-4010
No ratings yet
Advanced Ipsec Deployments and Concepts of DMVPN Networks: Session Sec-4010
69 pages
Cisco VPN Config Guide - CG
No ratings yet
Cisco VPN Config Guide - CG
131 pages
Cisco VPN Security Routers: Setting The Standard in Site-to-Site VPN Solutions
No ratings yet
Cisco VPN Security Routers: Setting The Standard in Site-to-Site VPN Solutions
6 pages
IP Addressing: NHRP Configuration Guide, Cisco IOS Release 12.4T
No ratings yet
IP Addressing: NHRP Configuration Guide, Cisco IOS Release 12.4T
56 pages
Prerequisites For Dynamic Multipoint VPN
No ratings yet
Prerequisites For Dynamic Multipoint VPN
46 pages
Sec Sec For Vpns W Ipsec 15 MT Book PDF
No ratings yet
Sec Sec For Vpns W Ipsec 15 MT Book PDF
168 pages
MPLS L3 VPN
No ratings yet
MPLS L3 VPN
348 pages
MP l3 Vpns 15 MT Book
No ratings yet
MP l3 Vpns 15 MT Book
348 pages
Cisco RV016 Multi WAN VPN Router Cisco Small Business Routers
No ratings yet
Cisco RV016 Multi WAN VPN Router Cisco Small Business Routers
4 pages
BRKCCIE-3003-DMVPN For Route & Switching CCIE Candidates v1
No ratings yet
BRKCCIE-3003-DMVPN For Route & Switching CCIE Candidates v1
44 pages
Iwan-Eigrp 400 Tunnel20 (Summary Network) (Summary Mask) : Procedure 10 Configure IP Multicast Routing
No ratings yet
Iwan-Eigrp 400 Tunnel20 (Summary Network) (Summary Mask) : Procedure 10 Configure IP Multicast Routing
20 pages
20.1.2 Lab - Configure Secure DMVPN Tunnels - ILM
No ratings yet
20.1.2 Lab - Configure Secure DMVPN Tunnels - ILM
16 pages
Large Scale DMVPN
No ratings yet
Large Scale DMVPN
35 pages
Easy Virtual Network Configuration Guide, Cisco IOS Release 15M&T
No ratings yet
Easy Virtual Network Configuration Guide, Cisco IOS Release 15M&T
80 pages
MPLS TP by Cisco Guide
No ratings yet
MPLS TP by Cisco Guide
96 pages
Asdm 717 VPN Config
No ratings yet
Asdm 717 VPN Config
242 pages
A Survey On Dynamic Multipoint Virtual Private Networks
No ratings yet
A Survey On Dynamic Multipoint Virtual Private Networks
10 pages
Vpls Configuration Ios XR With BGP and LDP Autodiscovery
No ratings yet
Vpls Configuration Ios XR With BGP and LDP Autodiscovery
104 pages
Sec Sec For Vpns W Ipsec 15 MT Book
No ratings yet
Sec Sec For Vpns W Ipsec 15 MT Book
192 pages
DMVPN and Easy VPN Server With ISAKMP Profiles Configuration Example
No ratings yet
DMVPN and Easy VPN Server With ISAKMP Profiles Configuration Example
16 pages
Dns 15 MT Book
No ratings yet
Dns 15 MT Book
120 pages
VPN Configuration Guide: Cisco Meraki
No ratings yet
VPN Configuration Guide: Cisco Meraki
14 pages
l3-dcnm-book
No ratings yet
l3-dcnm-book
178 pages
Feature Guide Multicast Over l3 VPN
No ratings yet
Feature Guide Multicast Over l3 VPN
138 pages
Sec Sec For Vpns W Ipsec Xe 3s Book PDF
No ratings yet
Sec Sec For Vpns W Ipsec Xe 3s Book PDF
108 pages
Securing Your WAN Infrastructure: Enabling The Hybrid WAN Webinar Series
No ratings yet
Securing Your WAN Infrastructure: Enabling The Hybrid WAN Webinar Series
43 pages
VPN Multi Isp
No ratings yet
VPN Multi Isp
126 pages
MPLS L3 VPN - Configuration
No ratings yet
MPLS L3 VPN - Configuration
334 pages
Cucm B Feature Configuration Guide 1251
No ratings yet
Cucm B Feature Configuration Guide 1251
676 pages
Cisco VPN Client Administrator Guide
No ratings yet
Cisco VPN Client Administrator Guide
226 pages
ENARSI Chapter 19
No ratings yet
ENARSI Chapter 19
72 pages
LAB1: DMVPN Theory
No ratings yet
LAB1: DMVPN Theory
9 pages
asa-vpn-cli
No ratings yet
asa-vpn-cli
450 pages
Alcatel-Lucent Service Routing Architect (SRA) Self-Study Guide: Preparing for the BGP, VPRN and Multicast Exams
From Everand
Alcatel-Lucent Service Routing Architect (SRA) Self-Study Guide: Preparing for the BGP, VPRN and Multicast Exams
Glenn Warnock
No ratings yet
CCNA Exam Focus: Study Guide with Practice Tests
From Everand
CCNA Exam Focus: Study Guide with Practice Tests
SUJAN
No ratings yet
The OpenVPN Handbook: Secure Your Networks with Virtual Private Networking
From Everand
The OpenVPN Handbook: Secure Your Networks with Virtual Private Networking
Robert Johnson
No ratings yet
CCNA Certification Study Guide Volume 2: Exam 200-301 v1.1
From Everand
CCNA Certification Study Guide Volume 2: Exam 200-301 v1.1
Todd Lammle
5/5 (1)
WAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay Networks
From Everand
WAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay Networks
Mamta Devi
No ratings yet
LEARN MPLS FROM SCRATCH PART-B: A Beginners guide to next level of networking
From Everand
LEARN MPLS FROM SCRATCH PART-B: A Beginners guide to next level of networking
POONAM DEVI
No ratings yet
CCNA Exam Excellence: Study Guide & Practice Tests
From Everand
CCNA Exam Excellence: Study Guide & Practice Tests
SUJAN
No ratings yet
Network with Practical Labs Configuration: Step by Step configuration of Router and Switch configuration
From Everand
Network with Practical Labs Configuration: Step by Step configuration of Router and Switch configuration
Mulayam Singh
No ratings yet
CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting Network
From Everand
CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting Network
Mulayam Singh
No ratings yet
AMT QB PDF_copy
No ratings yet
AMT QB PDF_copy
12 pages
Calling Card - New - Kat 11.5.17
No ratings yet
Calling Card - New - Kat 11.5.17
1 page
6 Pre-Operative Information Form
67% (3)
6 Pre-Operative Information Form
1 page
4A. Remedial Law 2006-2019
No ratings yet
4A. Remedial Law 2006-2019
118 pages
ACC 107 Depletion of Mineral Resources
No ratings yet
ACC 107 Depletion of Mineral Resources
17 pages
Quantum Dot Solar Cells: High Efficiency Through Multiple Exciton Generation
No ratings yet
Quantum Dot Solar Cells: High Efficiency Through Multiple Exciton Generation
5 pages
‏لقطة شاشة 2025-03-09 في 11.06.04 ص
No ratings yet
‏لقطة شاشة 2025-03-09 في 11.06.04 ص
23 pages
Maersk L
0% (1)
Maersk L
12 pages
Subpoena - SLAPP at Free Speech
No ratings yet
Subpoena - SLAPP at Free Speech
6 pages
P&I Guidelines: West of England Practical Notes For Ships' Personnel
No ratings yet
P&I Guidelines: West of England Practical Notes For Ships' Personnel
1 page
Atlas 250 1
No ratings yet
Atlas 250 1
6 pages
Beyonics ERP Configuration Workbook Tax PROD
No ratings yet
Beyonics ERP Configuration Workbook Tax PROD
185 pages
Basic Input Devices Table
No ratings yet
Basic Input Devices Table
4 pages
Bajhang Upper Seti 216 MW Construction Schedule FINAL
100% (3)
Bajhang Upper Seti 216 MW Construction Schedule FINAL
2 pages
Data Sheet - CRAB 60 System
No ratings yet
Data Sheet - CRAB 60 System
3 pages
Data Center Principles and Strategies 5
No ratings yet
Data Center Principles and Strategies 5
29 pages
Risk Assessment For Water Proofing Berry
No ratings yet
Risk Assessment For Water Proofing Berry
4 pages
Dp-3 A - Pans-Aim 1st Edition
No ratings yet
Dp-3 A - Pans-Aim 1st Edition
118 pages
Advanced Accounting Baker Test Bank - Chap013
100% (2)
Advanced Accounting Baker Test Bank - Chap013
47 pages
Feb 28 Homework Solutions Math 151, Winter 2012 Chapter 6 Problems (Pages 287-291)
No ratings yet
Feb 28 Homework Solutions Math 151, Winter 2012 Chapter 6 Problems (Pages 287-291)
9 pages
A Rule of Thumb Is That
No ratings yet
A Rule of Thumb Is That
4 pages
TDK CC e Apl e
No ratings yet
TDK CC e Apl e
5 pages
Paper 1 PDF
No ratings yet
Paper 1 PDF
4 pages
A GLUT-Based User Interface Library: by Paul Rademacher
No ratings yet
A GLUT-Based User Interface Library: by Paul Rademacher
38 pages
Breatehr Valve Manual
No ratings yet
Breatehr Valve Manual
21 pages