How to Configure DMVPN in a Cisco Network: Complete Cisco IOS Guide Dynamic Multipoint VPN (DMVPN) is a Cisco technology that combines multipoint GRE, NHRP, and IPsec to build scalable hub-and-spoke VPN overlays over public or private WAN transport. This guide walks through a practical Cisco IOS DMVPN configuration, explains how the pieces fit together, and shows the verification and troubleshooting commands you should run after deployment. What Is DMVPN in Cisco Networks? DMVPN is designed to simplify large VPN topologies by reducing the need to configure a separate static GRE tunnel for every site pair. Cisco documents DMVPN as a combination of GRE tunnels, IPsec encryption, and NHRP, with crypto profiles used instead of traditional static crypto maps in many deployments. That design makes DMVPN especially useful for branch connectivity where spokes need to register dynamically with a central hub. In a typical deployment: The hub acts as the NHRP server. The spokes act as NHRP clients. mGRE allows the hub to support many remote peers on one tunnel interface. IPsec protects the GRE traffic. Why Use DMVPN? DMVPN remains a strong option when you need scalable Cisco branch-to-hub connectivity, routing protocol support over the overlay, and secure transport across untrusted networks. Cisco also documents DMVPN support for dynamically assigned spoke addresses and large hub-and-spoke deployments, which is part of why it has remained a common design in enterprise WAN environments. Reduces tunnel configuration overhead on the hub Supports secure branch connectivity over the internet Works with dynamic routing protocols such as EIGRP, OSPF, and BGP Provides a path toward spoke-to-spoke optimization in more advanced phases Core DMVPN Building Blocks mGRE Multipoint GRE lets the hub terminate many GRE peers on a single tunnel interface. This is one of the key reasons DMVPN scales better than building a point-to-point GRE tunnel for every branch. NHRP Next Hop Resolution Protocol maps overlay tunnel addresses to underlay NBMA addresses. In DMVPN, the hub maintains NHRP mappings for the spokes, and the spokes register with the hub so traffic can be forwarded across the tunnel infrastructure. IPsec GRE by itself does not encrypt traffic. Cisco DMVPN deployments typically apply an IPsec profile directly to the tunnel interface with tunnel protection ipsec profile. DMVPN Phases There are three common DMVPN design phases: Phase 1: Spokes communicate through the hub. Phase 2: Supports direct spoke-to-spoke tunnels with more routing awareness. Phase 3: Uses NHRP redirect and shortcut features to improve spoke-to-spoke path optimization. This tutorial focuses on a straightforward hub-and-spoke style baseline because it is easier to validate and safer to use as a first deployment model before adding advanced shortcut behavior. Example Lab Topology Hub public IP: 203.0.113.1 Spoke1 public IP: 198.51.100.11 Spoke2 public IP: 198.51.100.22 Hub tunnel IP: 10.10.10.1/24 Spoke1 tunnel IP: 10.10.10.11/24 Spoke2 tunnel IP: 10.10.10.22/24 NHRP network ID: 10 Tunnel key: 100 Prerequisites Reachable underlay connectivity between the hub and all spokes Cisco IOS or IOS XE support for DMVPN, NHRP, mGRE, and IPsec tunnel protection Authorized administrative access to the routers Consistent crypto settings across all peers A plan for MTU and TCP MSS tuning if WAN encapsulation overhead becomes an issue Step 1: Configure the Hub Router The hub uses a multipoint GRE tunnel interface and accepts dynamic NHRP multicast mappings from the spokes. hostname HUB interface Tunnel0 ip address 10.10.10.1 255.255.255.0 no ip redirects ip nhrp authentication DMVPNKEY ip nhrp map multicast dynamic ip nhrp network-id 10 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile DMVPN-PROFILE interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 no shutdown crypto isakmp policy 10 encr aes hash sha256 authentication pre-share group 14 lifetime 86400 crypto isakmp key CISCO123 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set DMVPN-SET esp-aes esp-sha-hmac mode transport crypto ipsec profile DMVPN-PROFILE set transform-set DMVPN-SET Important points: tunnel mode gre multipoint is what enables the hub to serve multiple spokes from one tunnel interface. ip nhrp map multicast dynamic allows multicast registration from spokes, which matters for routing protocols over the tunnel. tunnel protection ipsec profile applies IPsec directly to the GRE tunnel interface. Step 2: Configure the Spoke Routers Each spoke points at the hub public IP and registers to the hub as the Next Hop Server. Spoke1 hostname SPOKE1 interface Tunnel0 ip address 10.10.10.11 255.255.255.0 no ip redirects ip nhrp authentication DMVPNKEY ip nhrp map 10.10.10.1 203.0.113.1 ip nhrp map multicast 203.0.113.1 ip nhrp network-id 10 ip nhrp nhs 10.10.10.1 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.1 tunnel key 100 tunnel protection ipsec profile DMVPN-PROFILE interface GigabitEthernet0/0 ip address 198.51.100.11 255.255.255.0 no shutdown crypto isakmp policy 10 encr aes hash sha256 authentication pre-share group 14 lifetime 86400 crypto isakmp key CISCO123 address 203.0.113.1 crypto ipsec transform-set DMVPN-SET esp-aes esp-sha-hmac mode transport crypto ipsec profile DMVPN-PROFILE set transform-set DMVPN-SET Spoke2 hostname SPOKE2 interface Tunnel0 ip address 10.10.10.22 255.255.255.0 no ip redirects ip nhrp authentication DMVPNKEY ip nhrp map 10.10.10.1 203.0.113.1 ip nhrp map multicast 203.0.113.1 ip nhrp network-id 10 ip nhrp nhs 10.10.10.1 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.1 tunnel key 100 tunnel protection ipsec profile DMVPN-PROFILE interface GigabitEthernet0/0 ip address 198.51.100.22 255.255.255.0 no shutdown crypto isakmp policy 10 encr aes hash sha256 authentication pre-share group 14 lifetime 86400 crypto isakmp key CISCO123 address 203.0.113.1 crypto ipsec transform-set DMVPN-SET esp-aes esp-sha-hmac mode transport crypto ipsec profile DMVPN-PROFILE set transform-set DMVPN-SET Step 3: Add Routing Over DMVPN DMVPN becomes operationally useful when you advertise branch networks across the tunnel. EIGRP is a common choice in Cisco-centric environments. Hub EIGRP router eigrp 100 network 10.10.10.0 0.0.0.255 no auto-summary Spoke1 EIGRP router eigrp 100 network 10.10.10.0 0.0.0.255 network 10.1.1.0 0.0.0.255 no auto-summary Spoke2 EIGRP router eigrp 100 network 10.10.10.0 0.0.0.255 network 10.2.2.0 0.0.0.255 no auto-summary In this baseline model, spokes typically reach each other through the hub. That makes the behavior easier to understand before you move to shortcut-based DMVPN designs. How DMVPN Registration Works The spoke brings up the tunnel and reaches the hub underlay address. The spoke registers its tunnel address and public NBMA address with the hub using NHRP. The hub stores that mapping and uses it to resolve overlay-to-underlay forwarding. IPsec protects the GRE tunnel traffic. The routing protocol exchanges branch routes across the overlay. How to Verify DMVPN on Cisco IOS After configuration, validate the tunnel, NHRP registration, crypto sessions, and routing state. show dmvpn show ip nhrp show crypto isakmp sa show crypto session show crypto ipsec sa show ip eigrp neighbors show ip route show interface tunnel0 These commands are especially useful: show dmvpn to review peer state and DMVPN status show ip nhrp to confirm NHRP mappings and registration show crypto session and show crypto ipsec sa to validate encryption show ip route to confirm remote branch prefixes are installed over the tunnel Common DMVPN Troubleshooting Checks NHRP Registration Problems If a spoke is stuck during NHRP establishment, verify the NHRP authentication string, network ID, tunnel key, and underlay reachability. Cisco troubleshooting guidance highlights common DMVPN failures around mismatched settings and registration problems. Crypto Does Not Come Up Check your ISAKMP or IKE parameters, pre-shared keys, transform sets, and IPsec profile assignments. Even small mismatches can keep the tunnel from reaching a fully protected operational state. Routes Are Missing Confirm that your routing protocol is enabled on the tunnel interface, that the correct LAN networks are advertised, and that no filtering or passive-interface setting is blocking adjacency or route exchange. MTU and MSS Issues GRE and IPsec add overhead. If applications are unstable or pings succeed but larger flows fail, tune the tunnel MTU and TCP MSS. interface Tunnel0 ip mtu 1400 ip tcp adjust-mss 1360 Security and Operational Best Practices Use strong, platform-supported cryptographic settings. Restrict router management access with AAA and ACLs. Log tunnel and crypto events centrally. Document tunnel addressing, NHRP IDs, and underlay dependencies. Test spoke recovery and hub failover in an authorized maintenance window. This guidance is intended for authorized network administration and legitimate operational recovery only. Final Thoughts DMVPN is still an important Cisco WAN skill because it gives you a scalable way to connect remote routers using mGRE, NHRP, and IPsec. The most reliable deployment path is to start with a clean hub-and-spoke design, confirm NHRP registration, verify IPsec protection, and then validate routing. Once those layers are working, expanding the design becomes much easier.