DMVPN – NHRP Client / Server Protocol review, how dynamic tunnels are formed, the different NHRP Phases, and an Intro to DMVPN definitions!

DMVPN3

Above is a Topology that demonstrates a few things right off the bat, A) it wants to establish an mGRE Tunnel to Branch2 from Branch1, b) To do this it needs to send an “NHRP Query” Packet to the NHRP Server HubRouter to get information on HOW to create a tunnel with Branch 2, c) NHRP HubRouter responds with an “NHRP Reply” that provides the information the Branch1 to form a tunnel with Branch to (assuming it is also configured for this companies DMVPN).

Also – It is “Next Hop Resolution Protocol” as I keep seeing instructors calling it different things, and definitively, it is RESOLUTION for the R in NHRP 🙂

mGRE did not always create Dynamic Spoke-to-Spoke tunnels, here are its phases:

These are the 3 phases of NHRP or really “DMVPN” to be aware of, there are not many details or gotchas, but again these are just implementation or deployment types, and not like Phase 1 and Phase 2 of the building of an IPSec tunnel!

  1. Phase 1 – All NHRP Clients still point to the NHRSP Server to communicate between sites, however there was one central hub ALL traffic flowed through
  2. Phase 2 – CEF Implementation allows Spoke-to-Spoke tunnels by providing full routing information among neighbors, however certain protocols such as EIGRP and BGP require special commands to allow this to work proprely
  3. Phase 3 – NHRP Clients can respond to NHRP Query’s sent by clients, thus taking over the role of the NHRP Server in this type of implementation

Why these Phases are important to know in the exam room and the interview room

Imagine being asked out of the blue if “DMPVN Phase 1” as I always hear it named incorrectly, can create spoke-to-spoke Dynamic VPNs to each other, and you might think “Yes, thats what it is called “Dynamic Multipoint VPN” but given our phase definitions above that is WRONG!

Phase 1 spokes can only connect back to the Hub.

Phase 2 can create Site-to-Site Dynamic VPNs, and Phase 3 even the other Spokes can answer calls for Dynamic VPN information to build a tunnel between neighbors.

Introducing the Terminology used in DMVPN and what technologies it refers to

Dynamic of course meaning the ability to Dynamically create spoke-to-spoke tunnels IF you have NHRP 2 or 3 deployed, which is commonly called DMVPN Phase 1 / 2 /3.

Multipoint refers to Multipoint GRE, which GRE is the magic behind moving traffic within DMVPNs, as it can transport about any type of traffic through any type of network and now has a Multipoint feature to provide that service to multiple destinations!

Overlay is the IP Addressing of VPN Tunnels running over the top of the Internet.

Underlay is the internet, the real IP Addressing needed to provide basic IP connectivity.

Simple Provisioning which was demonstrated in my previous post with actual configuration examples of mGRE routers, they are all configured ALMOST exactly the same, which makes this a fairly light weight deployment for such flexibility.

Some of the major perks of DMVPN deployments

  • Supports NAT
  • Extremely Scalable
  • Support GET VPN Cisco technology
  • Traffic Routing – mGRE / NHRP (Next Hop Resolotion Protocol)
  • Traffic Encryption – IPSec Profiles

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s