How to Configure DMVPN in a Cisco Network: Complete Cisco IOS Guide

Dynamic Multipoint VPN (DMVPN) is a Cisco technology that combines multipoint GRE, NHRP, and IPsec to build scalable hub-and-spoke VPN overlays over public or private WAN transport. This guide walks through a practical Cisco IOS DMVPN configuration, explains how the pieces fit together, and shows the verification and troubleshooting commands you should run after deployment.

Lab Topology

What Is DMVPN in Cisco Networks?

DMVPN is designed to simplify large VPN topologies by reducing the need to configure a separate static GRE tunnel for every site pair. Cisco documents DMVPN as a combination of GRE tunnels, IPsec encryption, and NHRP, with crypto profiles used instead of traditional static crypto maps in many deployments. That design makes DMVPN especially useful for branch connectivity where spokes need to register dynamically with a central hub.

In a typical deployment:

• The hub acts as the NHRP server.
• The spokes act as NHRP clients.
• mGRE allows the hub to support many remote peers on one tunnel interface.
• IPsec protects the GRE traffic.

Why Use DMVPN?

DMVPN remains a strong option when you need scalable Cisco branch-to-hub connectivity, routing protocol support over the overlay, and secure transport across untrusted networks. Cisco also documents DMVPN support for dynamically assigned spoke addresses and large hub-and-spoke deployments, which is part of why it has remained a common design in enterprise WAN environments.

• Reduces tunnel configuration overhead on the hub
• Supports secure branch connectivity over the internet
• Works with dynamic routing protocols such as EIGRP, OSPF, and BGP
• Provides a path toward spoke-to-spoke optimization in more advanced phases

Core DMVPN Building Blocks

mGRE

Multipoint GRE lets the hub terminate many GRE peers on a single tunnel interface. This is one of the key reasons DMVPN scales better than building a point-to-point GRE tunnel for every branch.

NHRP

Next Hop Resolution Protocol maps overlay tunnel addresses to underlay NBMA addresses. In DMVPN, the hub maintains NHRP mappings for the spokes, and the spokes register with the hub so traffic can be forwarded across the tunnel infrastructure.

IPsec

GRE by itself does not encrypt traffic. Cisco DMVPN deployments typically apply an IPsec profile directly to the tunnel interface with tunnel protection ipsec profile.

DMVPN Phases

There are three common DMVPN design phases:

• Phase 1: Spokes communicate through the hub.
• Phase 2: Supports direct spoke-to-spoke tunnels with more routing awareness.
• Phase 3: Uses NHRP redirect and shortcut features to improve spoke-to-spoke path optimization.

This tutorial focuses on a straightforward hub-and-spoke style baseline because it is easier to validate and safer to use as a first deployment model before adding advanced shortcut behavior.

Example Lab Topology

• Hub public IP: 203.0.113.1
• Spoke1 public IP: 198.51.100.11
• Spoke2 public IP: 198.51.200.22
• Hub tunnel IP: 10.10.10.1/24
• Spoke1 tunnel IP: 10.10.10.11/24
• Spoke2 tunnel IP: 10.10.10.22/24
• NHRP network ID: 10
• Tunnel key: 100

Prerequisites

• Reachable underlay connectivity between the hub and all spokes
• Cisco IOS or IOS XE support for DMVPN, NHRP, mGRE, and IPsec tunnel protection
• Authorized administrative access to the routers
• Consistent crypto settings across all peers
• A plan for MTU and TCP MSS tuning if WAN encapsulation overhead becomes an issue

Step 1: Configure the Hub Router

The hub uses a multipoint GRE tunnel interface and accepts dynamic NHRP multicast mappings from the spokes.

hostname HUB

interface Tunnel0
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPNKEY
 ip nhrp map multicast dynamic
 ip nhrp network-id 10
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN-PROFILE

interface FastEthernet0/0
 ip address 203.0.113.1 255.255.255.0
 no shutdown

crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 14
 lifetime 86400

crypto isakmp key CISCO123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set DMVPN-SET esp-aes esp-sha-hmac
 mode transport

crypto ipsec profile DMVPN-PROFILE
 set transform-set DMVPN-SET

Important points:

• tunnel mode gre multipoint is what enables the hub to serve multiple spokes from one tunnel interface.
• ip nhrp map multicast dynamic allows multicast registration from spokes, which matters for routing protocols over the tunnel.
• tunnel protection ipsec profile applies IPsec directly to the GRE tunnel interface.

Step 2: Configure the Spoke Routers

Each spoke points at the hub public IP and registers to the hub as the Next Hop Server.

Spoke1

hostname SPOKE1

interface Tunnel0
 ip address 10.10.10.11 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPNKEY
 ip nhrp map 10.10.10.1 203.0.113.1
 ip nhrp map multicast 203.0.113.1
 ip nhrp network-id 10
 ip nhrp nhs 10.10.10.1
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN-PROFILE

interface FastEthernet0/0
 ip address 198.51.100.2 255.255.255.252
 no shutdown

crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 14
 lifetime 86400

crypto isakmp key CISCO123 address 203.0.113.1

crypto ipsec transform-set DMVPN-SET esp-aes esp-sha-hmac
 mode transport

crypto ipsec profile DMVPN-PROFILE
 set transform-set DMVPN-SET

Spoke2

hostname SPOKE2

interface Tunnel0
 ip address 10.10.10.22 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPNKEY
 ip nhrp map 10.10.10.1 203.0.113.1
 ip nhrp map multicast 203.0.113.1
 ip nhrp network-id 10
 ip nhrp nhs 10.10.10.1
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 100
 tunnel protection ipsec profile DMVPN-PROFILE

interface FastEthernet0/1
 ip address 198.51.200.2 255.255.255.252
 no shutdown

crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 14
 lifetime 86400

crypto isakmp key CISCO123 address 203.0.113.1

crypto ipsec transform-set DMVPN-SET esp-aes esp-sha-hmac
 mode transport

crypto ipsec profile DMVPN-PROFILE
 set transform-set DMVPN-SET

Step 3: Add Routing Over DMVPN

DMVPN becomes operationally useful when you advertise branch networks across the tunnel. OSPF is a common choice in Cisco-centric environments.

ISP1 OSPF

 router ospf 1
 log-adjacency-changes
 network 198.51.100.0 0.0.0.3 area 0
 network 198.51.200.0 0.0.0.3 area 0
 network 200.75.75.0 0.0.0.3 area 0

ISP2 OSPF

 router ospf 1
 log-adjacency-changes
 network 200.75.75.0 0.0.0.3 area 0
 network 203.0.113.0 0.0.0.3 area 0

HUB static default route

ip route 0.0.0.0 0.0.0.0 203.0.113.2 name ISP1

In this baseline model, spokes typically reach each other through the hub. That makes the behavior easier to understand before you move to shortcut-based DMVPN designs.

How DMVPN Registration Works

1. The spoke brings up the tunnel and reaches the hub underlay address.
2. The spoke registers its tunnel address and public NBMA address with the hub using NHRP.
3. The hub stores that mapping and uses it to resolve overlay-to-underlay forwarding.
4. IPsec protects the GRE tunnel traffic.
5. The routing protocol exchanges branch routes across the overlay.

How to Verify DMVPN on Cisco IOS

After configuration, validate the tunnel, NHRP registration, crypto sessions, and routing state.

show dmvpn
show ip nhrp
show crypto isakmp sa
show crypto session
show crypto ipsec sa
show ip eigrp neighbors
show ip route
show interface tunnel0

These commands are especially useful:

• show dmvpn to review peer state and DMVPN status
• show ip nhrp to confirm NHRP mappings and registration
• show crypto session and show crypto ipsec sa to validate encryption
• show ip route to confirm remote branch prefixes are installed over the tunnel

Common DMVPN Troubleshooting Checks

NHRP Registration Problems

If a spoke is stuck during NHRP establishment, verify the NHRP authentication string, network ID, tunnel key, and underlay reachability. Cisco troubleshooting guidance highlights common DMVPN failures around mismatched settings and registration problems.

Crypto Does Not Come Up

Check your ISAKMP or IKE parameters, pre-shared keys, transform sets, and IPsec profile assignments. Even small mismatches can keep the tunnel from reaching a fully protected operational state.

Routes Are Missing

Confirm that your routing protocol is enabled on the tunnel interface, that the correct LAN networks are advertised, and that no filtering or passive-interface setting is blocking adjacency or route exchange.

MTU and MSS Issues

GRE and IPsec add overhead. If applications are unstable or pings succeed but larger flows fail, tune the tunnel MTU and TCP MSS.

interface Tunnel0
 ip mtu 1400
 ip tcp adjust-mss 1360

Security and Operational Best Practices

• Use strong, platform-supported cryptographic settings.
• Restrict router management access with AAA and ACLs.
• Log tunnel and crypto events centrally.
• Document tunnel addressing, NHRP IDs, and underlay dependencies.
• Test spoke recovery and hub failover in an authorized maintenance window.

This guidance is intended for authorized network administration and legitimate operational recovery only.

Final Thoughts

DMVPN is still an important Cisco WAN skill because it gives you a scalable way to connect remote routers using mGRE, NHRP, and IPsec. The most reliable deployment path is to start with a clean hub-and-spoke design, confirm NHRP registration, verify IPsec protection, and then validate routing. Once those layers are working, expanding the design becomes much easier.