This is the third and final post regarding DMVPN which will cover Phase-3. Phase-2 and Phase-3 are very similar. In both phases, spokes can access each other directly by bringing an on demand tunnel. That said, there is some minor configuration difference and specific commands that we need to add to the tunnel interfaces of the hub and spokes. I feel like I have covered a good amount of static mapping in the previous two posts, I will just use dynamic mapping here. R1: interface Tunnel0 ip address 10.1.1.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 111 ip nhrp redirect tunnel source FastEthernet0/0 tunnel mode gre multipoint R2: interface Tunnel0 ip address 10.1.1.2 255.255.255.0 no ip split-horizon eigrp 100
To continue with DMVPN topic, this post will be explaining DMVPN Phase-2. The main difference between Phase-1 and 2 is the spoke to spoke reachability. As shown in the previous post, a spoke can only reach another spoke through the Hub. There is no direct spoke to spoke communication. Phase-2, however, changes this behavior where spokes can talk to each other directly. I'm going to use the same topology and IP addressing. So let's go directly to the actual configuration. DMVPN Phase-2: Static Mapping R1: interface Tunnel0 ip address 10.1.1.1 255.255.255.0 ip nhrp map 10.1.1.2 192.168.1.2 ip nhrp map 10.1.1.3 192.168.1.3 ip nhrp map 10.1.1.4 192.168.1.4 ip nhrp network-id 111 tunnel source FastEthernet0/0 tunnel mode gre multipoint R2: interface Tunnel0 ip address 10.1.1.2 255.255.255.0 no ip
In this series, I'm going to explain all three phases of DMVPN. DMVPN should be thought of as a routing technology and not necessarily a security one. Yes, you can encrypt these VPN tunnels but DMVPN is more like dynamically created GRE tunnels with the use of NHRP. The encryption, while not mandatory, is typically used to secure the encapsulated traffic across the public internet. An important note, I find the naming Phase 1, 2 and 3 is very confusing as it clearly can get confused with IPsec Phases. A better way to think of is DMVPN Type 1, 2 and 3 were each type represents a different configuration and behavior. Throughout this post, I'm going to use the same topology below.