DMVPN configuration with both Hub and Spokes having a dynamically assigned NBMA (public) IP

Nico EismaSenior Network Engineer
CERTIFIED EXPERT
Published:
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP).

Here is the basic setup of DMVPN Phase 3. I'll not go into an in-depth discussion of DMVPN; rather, this article will focus more on the features that will enable a DMVPN with both hub and spokes having a dynamically assigned NBMA IP. The setup has been simulated using IOS version 15.4(2)T.
DMVPN-network-diagram.png
**************************************************************************************
                      (R1 configuration)
                      !
                      interface Loopback0
                       ip address 1.1.1.1 255.255.255.255
                      !
                      interface Tunnel0
                       ip address 10.0.0.1 255.255.255.0
                       ip nhrp authentication NHRP_KEY
                       ip nhrp map multicast dynamic
                       ip nhrp network-id 1
                       ip nhrp redirect
                       tunnel source Ethernet0/0
                       tunnel mode gre multipoint
                      !
                      interface Ethernet0/0
                       ip address 15.0.0.1 255.255.255.0
                      !
                      router eigrp 1
                       network 1.1.1.1 0.0.0.0
                       network 10.0.0.1 0.0.0.0
                      !
                      ip route 0.0.0.0 0.0.0.0 15.0.0.5
                      **************************************************************************************
                      (R2 configuration)
                      !
                      interface Loopback0
                       ip address 2.2.2.2 255.255.255.255
                      !
                      interface Tunnel0
                       ip address 10.0.0.2 255.255.255.0
                       ip nhrp authentication NHRP_KEY
                       ip nhrp map 10.0.0.1 15.0.0.1
                       ip nhrp map multicast 15.0.0.1
                       ip nhrp network-id 1
                       ip nhrp nhs 10.0.0.1
                       ip nhrp shortcut
                       tunnel source Ethernet0/0
                       tunnel mode gre multipoint
                      !
                      interface Ethernet0/0
                       ip address 25.0.0.2 255.255.255.0
                      !
                      router eigrp 1
                       network 2.2.2.2 0.0.0.0
                       network 10.0.0.2 0.0.0.0
                      !
                      ip route 0.0.0.0 0.0.0.0 25.0.0.5
                      **************************************************************************************
                      (R3 configuration)
                      !
                      interface Loopback0
                       ip address 3.3.3.3 255.255.255.255
                      !
                      interface Tunnel0
                       ip address 10.0.0.3 255.255.255.0
                       ip nhrp authentication NHRP_KEY
                       ip nhrp map 10.0.0.1 15.0.0.1
                       ip nhrp map multicast 15.0.0.1
                       ip nhrp network-id 1
                       ip nhrp nhs 10.0.0.1
                       ip nhrp shortcut
                       tunnel source Ethernet0/0
                       tunnel mode gre multipoint
                      !
                      interface Ethernet0/0
                       ip address 35.0.0.3 255.255.255.0
                      !
                      router eigrp 1
                       network 3.3.3.3 0.0.0.0
                       network 10.0.0.3 0.0.0.0
                      !
                      ip route 0.0.0.0 0.0.0.0 35.0.0.5
                      **************************************************************************************
                      (R4 configuration)
                      !
                      interface Loopback0
                       ip address 4.4.4.4 255.255.255.255
                      !
                      interface Tunnel0
                       ip address 10.0.0.4 255.255.255.0
                       ip nhrp authentication NHRP_KEY
                       ip nhrp map 10.0.0.1 15.0.0.1
                       ip nhrp map multicast 15.0.0.1
                       ip nhrp network-id 1
                       ip nhrp nhs 10.0.0.1
                       ip nhrp shortcut
                       tunnel source Ethernet0/0
                       tunnel mode gre multipoint
                      !
                      interface Ethernet0/0
                       ip address 45.0.0.4 255.255.255.0
                      !
                      router eigrp 1
                       network 4.4.4.4 0.0.0.0
                       network 10.0.0.4 0.0.0.0
                      !
                      router eigrp 1
                       network 4.4.4.4 0.0.0.0
                       network 10.0.0.4 0.0.0.0
                      !
                      ip route 0.0.0.0 0.0.0.0 45.0.0.5
                      **************************************************************************************
                      (Verification on Hub R1)
                      R1#
                      R1#show ip nhrp
                      10.0.0.2/32 via 10.0.0.2
                         Tunnel0 created 08:25:43, expire 01:31:32
                         Type: dynamic, Flags: unique registered used nhop
                         NBMA address: 25.0.0.2
                      10.0.0.3/32 via 10.0.0.3
                         Tunnel0 created 08:25:09, expire 01:34:52
                         Type: dynamic, Flags: unique registered used nhop
                         NBMA address: 35.0.0.3
                      10.0.0.4/32 via 10.0.0.4
                         Tunnel0 created 08:25:39, expire 01:32:28
                         Type: dynamic, Flags: unique registered used nhop
                         NBMA address: 45.0.0.4
                      R1#
                      R1#show dmvpn
                      Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
                              N - NATed, L - Local, X - No Socket
                              # Ent --> Number of NHRP entries with same NBMA peer
                              NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
                              UpDn Time --> Up or Down Time for a Tunnel
                      ==========================================================================
                      
                      Interface: Tunnel0, IPv4 NHRP Details
                      Type:Hub, NHRP Peers:3,
                      
                       # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
                       ----- --------------- --------------- ----- -------- -----
                           1 25.0.0.2               10.0.0.2    UP 08:25:45     D
                           1 35.0.0.3               10.0.0.3    UP 08:25:11     D
                           1 45.0.0.4               10.0.0.4    UP 08:25:41     D
                      
                      R1#
                      R1#show ip eigrp neighbor
                      EIGRP-IPv4 Neighbors for AS(1)
                      H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                                         (sec)         (ms)       Cnt Num
                      2   10.0.0.3                Tu0                      11 04:26:14    1  1398  0  3
                      0   10.0.0.4                Tu0                      12 04:27:42    5  1398  0  4
                      1   10.0.0.2                Tu0                      10 04:29:02    1  1398  0  5
                      R1#
                      R1#show ip route eigrp
                      Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
                             D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                             E1 - OSPF external type 1, E2 - OSPF external type 2
                             i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
                             ia - IS-IS inter area, * - candidate default, U - per-user static route
                             o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
                             a - application route
                             + - replicated route, % - next hop override
                      
                      Gateway of last resort is 15.0.0.5 to network 0.0.0.0
                      
                            2.0.0.0/32 is subnetted, 1 subnets
                      D        2.2.2.2 [90/27008000] via 10.0.0.2, 04:28:42, Tunnel0
                            3.0.0.0/32 is subnetted, 1 subnets
                      D        3.3.3.3 [90/27008000] via 10.0.0.3, 04:25:19, Tunnel0
                            4.0.0.0/32 is subnetted, 1 subnets
                      D        4.4.4.4 [90/27008000] via 10.0.0.4, 04:27:47, Tunnel0
                      R1#
                      **************************************************************************************
                      (Verification on Spoke R2)
                      R2#show ip nhrp
                      10.0.0.1/32 via 10.0.0.1
                         Tunnel0 created 00:00:14, never expire
                         Type: static, Flags: used
                         NBMA address: 15.0.0.1
                      R2#
                      R2#show dmvpn
                      Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
                              N - NATed, L - Local, X - No Socket
                              # Ent --> Number of NHRP entries with same NBMA peer
                              NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
                              UpDn Time --> Up or Down Time for a Tunnel
                      ==========================================================================
                      
                      Interface: Tunnel0, IPv4 NHRP Details
                      Type:Spoke, NHRP Peers:1,
                      
                       # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
                       ----- --------------- --------------- ----- -------- -----
                           1 15.0.0.1               10.0.0.1    UP 00:00:17     S
                      
                      R2#
                      R2#show ip route eigrp
                      Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
                             D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                             E1 - OSPF external type 1, E2 - OSPF external type 2
                             i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
                             ia - IS-IS inter area, * - candidate default, U - per-user static route
                             o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
                             a - application route
                             + - replicated route, % - next hop override
                      
                      Gateway of last resort is 25.0.0.5 to network 0.0.0.0
                      
                            1.0.0.0/32 is subnetted, 1 subnets
                      D        1.1.1.1 [90/27008000] via 10.0.0.1, 00:00:13, Tunnel0
                            3.0.0.0/32 is subnetted, 1 subnets
                      D        3.3.3.3 [90/28288000] via 10.0.0.1, 00:00:13, Tunnel0
                            4.0.0.0/32 is subnetted, 1 subnets
                      D        4.4.4.4 [90/28288000] via 10.0.0.1, 00:00:13, Tunnel0
                      R2#
                      R2#show ip cef 3.3.3.3
                      3.3.3.3/32
                        nexthop 10.0.0.1 Tunnel0
                      R2#
                      R2#traceroute 3.3.3.3 so 2.2.2.2
                      Type escape sequence to abort.
                      Tracing the route to 3.3.3.3
                      VRF info: (vrf in name/id, vrf out name/id)
                        1 10.0.0.1 1 msec 1 msec 0 msec
                        2 10.0.0.3 6 msec *  5 msec
                      R2#
                      R2#traceroute 3.3.3.3 so 2.2.2.2
                      Type escape sequence to abort.
                      Tracing the route to 3.3.3.3
                      VRF info: (vrf in name/id, vrf out name/id)
                        1 10.0.0.3 1 msec *  0 msec
                      R2#
                      R2#show ip route eigrp
                      Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
                             D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                             E1 - OSPF external type 1, E2 - OSPF external type 2
                             i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
                             ia - IS-IS inter area, * - candidate default, U - per-user static route
                             o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
                             a - application route
                             + - replicated route, % - next hop override
                      
                      Gateway of last resort is 25.0.0.5 to network 0.0.0.0
                      
                            1.0.0.0/32 is subnetted, 1 subnets
                      D        1.1.1.1 [90/27008000] via 10.0.0.1, 00:00:43, Tunnel0
                            3.0.0.0/32 is subnetted, 1 subnets
                      D   %    3.3.3.3 [90/28288000] via 10.0.0.1, 00:00:43, Tunnel0
                            4.0.0.0/32 is subnetted, 1 subnets
                      D        4.4.4.4 [90/28288000] via 10.0.0.1, 00:00:43, Tunnel0
                      R2#
                      R2#show ip cef 3.3.3.3
                      3.3.3.3/32
                        nexthop 10.0.0.3 Tunnel0
                      R2#
                      **************************************************************************************

Open in new window


Normally DMVPN requires that the hub has a statically-configured NBMA IP (not changing), while the spokes can have a dynamically assigned NBMA IPs. It is important that the hub's NBMA IP does not change because it is referenced in the Next Hop Resolution Protocol (NHRP) static mapping at the spokes as shown below.

interface Tunnel0
                       ip nhrp map 10.0.0.1 15.0.0.1
                       ip nhrp nhs 10.0.0.1

Open in new window


The problem with both hub and spokes having a dynamically assigned public IP is that, on the spokes, we'll have to re-configure (manually) the NHRP static mapping for the NHS IP and its NBMA IP every time the hub is assigned with a new public IP.


So how can we implement a DMVPN with both Hub and Spokes having dynamically assigned public IP (NBMA IP)? The solution would require two features:

  • Dynamic DNS (DDNS) for the hub - enables the Hub router to advise a DDNS server of its currently assigned IP.
  • DMVPN configuration using FQDN for the spokes - enables the spokes NHRP configuration to reference a FQDN instead of an IP address.
Below is the basic setup that we will use for the test simulation.
DMVPN--DHCP-assigned-public-IP--network-Part 1 - DMVPN configuration using FQDN for the spokes
  • The "Internet" cloud is actually simulated by a router (R5)
  • I've used R5 (5.5.5.5) to act like "DNS server" as well as provide the DHCP address for the NBMA.
**************************************************************************************
                      (R5 DHCP configuration)
                      R5#show run | sec dhcp
                      ip dhcp excluded-address 15.0.0.2 15.0.0.255
                      ip dhcp excluded-address 25.0.0.1
                      ip dhcp excluded-address 25.0.0.3 25.0.0.255
                      ip dhcp excluded-address 35.0.0.1 35.0.0.2
                      ip dhcp excluded-address 35.0.0.4 35.0.0.255
                      ip dhcp excluded-address 45.0.0.1 45.0.0.3
                      ip dhcp excluded-address 45.0.0.5 45.0.0.255
                      ip dhcp pool Hub_POOL
                       network 15.0.0.0 255.255.255.0
                       default-router 15.0.0.5
                      ip dhcp pool SPOKE1_POOL
                       network 25.0.0.0 255.255.255.0
                       default-router 25.0.0.5
                      ip dhcp pool SPOKE2_POOL
                       network 35.0.0.0 255.255.255.0
                       default-router 35.0.0.5
                      ip dhcp pool SPOKE3_POOL
                       network 45.0.0.0 255.255.255.0
                       default-router 45.0.0.5
                      R5#
                      **************************************************************************************
                      (R5 "DNS" configuration)
                      R5#confi t
                      Enter configuration commands, one per line.  End with CNTL/Z.
                      R5(config)#
                      R5(config)#ip dns server
                      R5(config)#ip domain-lookup
                      R5(config)#
                      R5(config)#ip host google.com 208.117.231.154
                      R5(config)#ip host mycreateddomain.ddns.net 15.0.0.1
                      R5(config)#
                      **************************************************************************************

Open in new window


  • Configuration and verification of DHCP and DNS name server on Hub and Spokes routers.
 
**************************************************************************************
                      (R1 DHCP configuration and verification)
                      R1#
                      R1#show run int eth0/0 | be interface
                      interface Ethernet0/0
                       ip address dhcp
                      end
                      
                      R1#
                      R1#show run | inc ip route
                      ip route 0.0.0.0 0.0.0.0 Ethernet0/0 dhcp
                      R1#
                      R1#show ip int br
                      Interface                  IP-Address      OK? Method Status                Protocol
                      Ethernet0/0                15.0.0.1        YES DHCP   up                    up
                      Ethernet0/1                unassigned      YES TFTP   administratively down down
                      Ethernet0/2                unassigned      YES NVRAM  administratively down down
                      Ethernet0/3                unassigned      YES NVRAM  administratively down down
                      Loopback0                  1.1.1.1         YES NVRAM  up                    up
                      Tunnel0                    10.0.0.1        YES NVRAM  up                    up
                      R1#
                      R1#show ip route static | be Gateway
                      Gateway of last resort is 15.0.0.5 to network 0.0.0.0
                      
                      S*    0.0.0.0/0 [1/0] via 15.0.0.5, Ethernet0/0
                      R1#
                      
                      (R1 Domain name configuration and verification)
                      R1#
                      R1#confi t
                      Enter configuration commands, one per line.  End with CNTL/Z.
                      R1(config)#ip name-server 5.5.5.5
                      R1(config)#ip domain-loo
                      R1(config)#ip domain-lookup
                      R1(config)#end
                      R1#
                      R1#ping google.com
                      Translating "google.com"...domain server (5.5.5.5) [OK]
                      
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 208.117.231.154, timeout is 2 seconds:
                      !!!!!
                      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
                      R1#
                      R1#ping mycreateddomain.ddns.net
                      Translating "mycreateddomain.ddns.net"...domain server (5.5.5.5) [OK]
                      
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 15.0.0.1, timeout is 2 seconds:
                      !!!!!
                      Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
                      R1#
                      **************************************************************************************
                      (R3 DHCP configuration and verification)
                      R3#
                      R3#show run int eth0/0 | be interface
                      interface Ethernet0/0
                       ip address dhcp
                      end
                      
                      R3#
                      R3#show run | inc ip route
                      ip route 0.0.0.0 0.0.0.0 Ethernet0/0 dhcp
                      R3#
                      R3#show ip int br
                      Interface                  IP-Address      OK? Method Status                Protocol
                      Ethernet0/0                35.0.0.3        YES DHCP   up                    up
                      Ethernet0/1                unassigned      YES TFTP   administratively down down
                      Ethernet0/2                unassigned      YES NVRAM  administratively down down
                      Ethernet0/3                unassigned      YES NVRAM  administratively down down
                      Loopback0                  3.3.3.3         YES NVRAM  up                    up
                      Tunnel0                    10.0.0.3        YES NVRAM  up                    up
                      R3#
                      R3#show ip route static | be Gateway
                      Gateway of last resort is 35.0.0.5 to network 0.0.0.0
                      
                      S*    0.0.0.0/0 [1/0] via 35.0.0.5, Ethernet0/0
                      R3#
                      
                      (R3 Domain name configuration and verification)
                      R3#
                      R3#confi t
                      Enter configuration commands, one per line.  End with CNTL/Z.
                      R3(config)#ip name-server 5.5.5.5
                      R3(config)#ip domain-lookup
                      R3(config)#end
                      R3#
                      R3#ping google.com
                      Translating "google.com"...domain server (5.5.5.5) [OK]
                      
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 208.117.231.154, timeout is 2 seconds:
                      !!!!!
                      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
                      R3#
                      R3#ping mycreateddomain.ddns.net
                      Translating "mycreateddomain.ddns.net"...domain server (5.5.5.5) [OK]
                      
                      Type escape sequence to abort.
                      Sending 5, 100-byte ICMP Echos to 15.0.0.1, timeout is 2 seconds:
                      !!!!!
                      Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
                      R3#
                      **************************************************************************************

Open in new window


  • The WAN interface is configured with "ip address dhcp"
  • We have configured a static default route "ip route 0.0.0.0 0.0.0.0 Ethernet0/0 dhcp". The "dhcp" keyword instructs the router to obtain the default gateway from DHCP.
  • From the "show ip int br" command we can see that the WAN interface was able to obtain an ip address via Method-DHCP
  • A static default router was installed via next-hop defined by the DHCP (default-router x.x.x.x under ip dhcp pool).
  • We define the DNS server to be used by the router via the "ip-name server 5.5.5.5" command. On production networks you might point this to a public DNS like google (8.8.8.8, 8.8.4.4) for example or to your own managed DNS server.
  • We then test if we can do name resolution. It should be noted for simulation purposes, we used a static binding of the IP to hostname.
 
Now comes the fun part, we configure NHRP on the spokes to reference a FQDN instead of an IP address.
**************************************************************************************
                      (R3 DMVPN configuration using FQDN)
                      R3#
                      R3#show run int tun 0 | be interface
                      interface Tunnel0
                       ip address 10.0.0.3 255.255.255.0
                       no ip redirects
                       ip mtu 1400
                       ip nhrp authentication NHRP_KEY
                       ip nhrp network-id 1
                       ip nhrp nhs dynamic nbma mycreateddomain.ddns.net multicast
                       ip nhrp shortcut
                       ip tcp adjust-mss 1360
                       tunnel source Ethernet0/0
                       tunnel mode gre multipoint
                      end
                      
                      R3#
                      **************************************************************************************
                      (R3 DMVPN verification)
                      R3#
                      R3#show ip nhrp
                      10.0.0.1/32 via 10.0.0.1
                         Tunnel0 created 00:02:05, never expire
                         Type: static, Flags: used
                         NBMA address: 15.0.0.1  (mycreateddomain.ddns.net)
                      R3#
                      R3#show dmvpn
                      Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
                              N - NATed, L - Local, X - No Socket
                              # Ent --> Number of NHRP entries with same NBMA peer
                              NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
                              UpDn Time --> Up or Down Time for a Tunnel
                      ==========================================================================
                      
                      Interface: Tunnel0, IPv4 NHRP Details
                      Type:Spoke, NHRP Peers:1,
                      
                       # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
                       ----- --------------- --------------- ----- -------- -----
                           1 15.0.0.1               10.0.0.1    UP 00:02:02     S
                                     (mycreateddomain.ddns.net)
                      
                      R3#
                      R3#show ip route eigrp
                      Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
                             D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                             E1 - OSPF external type 1, E2 - OSPF external type 2
                             i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
                             ia - IS-IS inter area, * - candidate default, U - per-user static route
                             o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
                             a - application route
                             + - replicated route, % - next hop override
                      
                      Gateway of last resort is 35.0.0.5 to network 0.0.0.0
                      
                            1.0.0.0/32 is subnetted, 1 subnets
                      D        1.1.1.1 [90/27008000] via 10.0.0.1, 00:02:08, Tunnel0
                            2.0.0.0/32 is subnetted, 1 subnets
                      D        2.2.2.2 [90/28288000] via 10.0.0.1, 00:02:08, Tunnel0
                            4.0.0.0/32 is subnetted, 1 subnets
                      D        4.4.4.4 [90/28288000] via 10.0.0.1, 00:02:08, Tunnel0
                      R3#
                      R3#show ip cef 2.2.2.2
                      2.2.2.2/32
                        nexthop 10.0.0.1 Tunnel0
                      R3#
                      R3#traceroute 2.2.2.2 so 3.3.3.3
                      Type escape sequence to abort.
                      Tracing the route to 2.2.2.2
                      VRF info: (vrf in name/id, vrf out name/id)
                        1 10.0.0.1 1 msec 1 msec 1 msec
                        2 10.0.0.2 5 msec 1 msec *
                      R3#
                      R3#traceroute 2.2.2.2 so 3.3.3.3
                      Type escape sequence to abort.
                      Tracing the route to 2.2.2.2
                      VRF info: (vrf in name/id, vrf out name/id)
                        1 10.0.0.2 1 msec 1 msec *
                      R3#
                      R3#show ip route eigrp
                      Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
                             D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                             E1 - OSPF external type 1, E2 - OSPF external type 2
                             i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
                             ia - IS-IS inter area, * - candidate default, U - per-user static route
                             o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
                             a - application route
                             + - replicated route, % - next hop override
                      
                      Gateway of last resort is 35.0.0.5 to network 0.0.0.0
                      
                            1.0.0.0/32 is subnetted, 1 subnets
                      D        1.1.1.1 [90/27008000] via 10.0.0.1, 00:03:37, Tunnel0
                            2.0.0.0/32 is subnetted, 1 subnets
                      D   %    2.2.2.2 [90/28288000] via 10.0.0.1, 00:03:37, Tunnel0
                            4.0.0.0/32 is subnetted, 1 subnets
                      D        4.4.4.4 [90/28288000] via 10.0.0.1, 00:03:37, Tunnel0
                      R3#
                      R3#show ip cef 2.2.2.2
                      2.2.2.2/32
                        nexthop 10.0.0.2 Tunnel0
                      R3#
                      R3#show tunnel endpoints
                       Tunnel0 running in multi-GRE/IP mode
                      
                       Endpoint transport 15.0.0.1 Refcount 3 Base 0xA38B266C Create Time 00:04:10
                         overlay 10.0.0.1 Refcount 2 Parent 0xA38B266C Create Time 00:04:10
                         Tunnel Subblocks:
                            tunnel-nhrp-sb:
                               NHRP subblock has 1 entries
                       Endpoint transport 25.0.0.2 Refcount 3 Base 0xA38B256C Create Time 00:01:18
                         overlay 10.0.0.2 Refcount 2 Parent 0xA38B256C Create Time 00:01:18
                         Tunnel Subblocks:
                            tunnel-nhrp-sb:
                               NHRP subblock has 2 entries
                      R3#
                      **************************************************************************************
                      (R1 verification of NHRP NBMA mapping)
                      R1#show ip nhrp
                      10.0.0.2/32 via 10.0.0.2
                         Tunnel0 created 01:18:21, expire 01:21:38
                         Type: dynamic, Flags: unique registered used nhop
                         NBMA address: 25.0.0.2
                      10.0.0.3/32 via 10.0.0.3
                         Tunnel0 created 01:18:19, expire 01:42:34
                         Type: dynamic, Flags: unique registered used nhop
                         NBMA address: 35.0.0.3
                      10.0.0.4/32 via 10.0.0.4
                         Tunnel0 created 01:18:21, expire 01:58:58
                         Type: dynamic, Flags: unique registered used nhop
                         NBMA address: 45.0.0.4
                      R1#
                      **************************************************************************************

Open in new window

Three commands were replaced here in the tunnel configuration:  

  • ip nhrp map 10.0.0.1 15.0.0.1 (static NHRP mapping for the NHS server IP and its NBMA IP)
  • ip nhrp map multicast 15.0.0.1 (maps multicast traffic towards the NHS)
  • ip nhrp nhs 10.0.0.1 (defines the NHRP server IP)
ip nhrp nhs dynamic nbma mycreateddomain.ddns.net multicast
  • defines the NHS IP to be dynamic
  • it uses the FQDN "mycreateddomain.ddns.net" to resolve the value for the NBMA IP
  • multicast traffic is also map to the NHS identified by the FQDN
On the verification, we can see that the router was able to resolve the FQDN, then create a static NHRP mapping for its NHS. We are able to receive EIGRP routes from the hub. EIGRP uses multicast.

Let's take a closer look into how this is accomplished by looking into a packet capture on R3's WAN interface. I've initially shut down the WAN interface and re-enabled it to show the processes of DHCP, DNS, NHRP, and Routing.
R3---Packet-Capture-1.png
  • At line 5, eth0/0 of R3 was enabled and start the DHCP request process. It was able to bring up the interface and complete the process at line 24.
  • At line 25, it now starts to query the DNS server (5.5.5.5) to resolve the FQDN "mycreateddomain.ddns.net". Line 26 is the reply from the "DNS" server.
  • At line 27-28, it start its NHRP registration process to the NHS.
  • After registering to the NHS, it builds the GRE tunnel to the hub and begins the EIGRP neighbor discovery as seen on line 29-43.
  • Then I've sent a couple of pings to verify reachability and illustrate spoke-to-spoke traffic for DMVPN phase 3.

Part 2 - Dynamic DNS (DDNS) for the hub

  • When a router interface is configured with DDNS, it updates the DDNS server of its IP address.
  • When the DDNS server receives the update, it then creates the binding between that IP address and a given FQDN which it announces to the internet.
  • There are various DDNS services provided by multiple providers. Two of the most common and free DDNS providers are no-ip.com and dyndns.com. The following example will configure DDNS on a Cisco router using no-ip.com as the DDNS service provider.
  • You can use your own managed DNS server if you are able to provide DDNS.
  • We sign-up for a free DDNS account on no-ip.com.
    • username: username
    • password: password
    • FQDN: mycreateddomain.ddns.net
 
Below is the DDNS configuration on a Cisco router using the free DDNS provided by no-ip.com
**************************************************************************************
                      (R1 Hub DDNS configuration)
                      R1#confi t
                      Enter configuration commands, one per line.  End with CNTL/Z.
                      R1(config)#ip dns server
                      R1(config)#ip name-server 5.5.5.5
                      R1(config)#
                      R1(config)#ip ddns update method NO-IP
                      R1(DDNS-update-method)#http
                      
                      (Hit Ctrl+V before pasting or typing the next line, due to the characters "?" and "@" will be interpreted wrong by IOS)
                      
                      R1(DDNS-HTTP)#add http://username:passsword@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
                      R1(DDNS-HTTP)#exit
                      R1(DDNS-update-method)#
                      R1(DDNS-update-method)#interval maximum 0 0 5 0
                      R1(DDNS-update-method)#exit
                      R1(config)#
                      R1(config)#interface eth0/0
                      R1(config-if)#ip ddns update hostname mycreateddomain.ddns.net
                      R1(config-if)#ip ddns update NO-IP
                      R1(config-if)#end
                      R1#
                      *Apr  2 20:13:58.494: %SYS-5-CONFIG_I: Configured from console by console
                      R1#
                      R1#show run | sec ddns
                      ip ddns update method NO-IP
                       HTTP
                        add http://username:passsword@dynupdate.no-ip.com/nic/updatehostname=<h>&myip=<a>
                       interval maximum 0 0 5 0
                       ip ddns update hostname mycreateddomain.ddns.net
                       ip ddns update NO-IP
                      R1#
                      **************************************************************************************

Open in new window


  • We configure the DNS server that will be used by the router (ip name-server 5.5.5.5), but in actual production network this can be a public DNS like google (8.8.8.8, 8.8.4.4) or your managed DNS server.
  • "ip ddns update method NO-IP" creates a DDNS update method named "NO-IP" and uses "http" as the method to update the DDNS server.
  • We configure "add http://username:passsword@dynupdate.no-ip.com/nic/update?hostname=&myip=". Replace the username and password with your configured details when you signed-up with no-ip.com.
  • "interval maximum 0 0 5 0" defines an update interval of every 5 minutes.
  • On the WAN interface, we configure DDNS hostname and DDNS profile: "ip ddns update hostname mycreateddomain.ddns.net". You'll use the hostname you defined during the sign-up.
Let's observe the packet capture on R1's WAN interface during shut and re-enabling.
R1---Packet-Capture-1.png
  • At line 5 the interface was re-enabled.
  • DHCP process is at lines 7-22.
  • At lines 29-30, DNS was queried for resolution of "dynupdate.no-ip.com"
  • At line 31, the router tried to send the DDNS update to no-ip.com via http (port 80).
  • At line 32, destination is unreachable since I've simulated this on a lab environment and have not connected it to the real internet.
Once the DDNS server is updated with the IP, it should begin announcing it to the internet and future resolution will resolve it to the Hubs WAN interface IP. The DDNS will continuously be updated every 5 minutes.
 

Final notes:
  • You can use any DDNS service you want or even provide your own if you manage your own DNS.
  • no-ip.com offers a free DDNS service however you'll need to reconfirm your account every 30 days.
  • DMVPN configuration using FQDN is introduced for software version above Cisco IOS Release 15.1(2)T.
 

Further reference:
Basically that sums up configuring DMVPN with both Hub and Spokes having dynamically assigned public IP address. I hope this has been helpful to you and thank you for reading the article.
1
6,448 Views
Nico EismaSenior Network Engineer
CERTIFIED EXPERT

Comments (1)

Dear learner,
If you don’t know anything about DMVPN configuration,
check out these links: <a href="http://gponsolution.com/dmvpn-configuration.html">DMVPN Configuration</a>

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.