DMVPN Phase 1 Basic Configuration

Hi Rene,

I need to know how does the spoke routers already know about each others private/overlay IP address?

Hello Muhammad

In this particular lesson, we’re looking at how DMVPN Phase 1 operates. In Phase 1, the spokes register with the hub router using NHRP. Because all spoke tunnel interfaces have an IP address in the same subnet if you ping Spoke 2 from Spoke 1, the subnet is considered directly connected to the tunnel interface, therefore any such pings will exit the tunnel interface. Such a ping will reach the hub, which will use NHRP to determine how to reach the destination.

Now keep in mind that this lesson describes only the connectivity between the routers. If you have subnets behind each spoke, and you want hosts behind one spoke to reach hosts behind another, then you need to employ a routing protocol, or to apply static routing at the spokes.

For more information on how Phase 1 operates with NHRP take a look at this lesson:

For information on how to employ EIGRP on a DMVPN Phase 1 network, take a look at this lesson:

For information on how to employ other routing protocols on DMVPN networks of various phases, take a look at all of the DMVPN lessons in the series.

I hope this has been helpful!


Thanks Laz,

It’s clear, much appreciated…!!

1 Like

Hi, A question about “show dmvpn”
when I run this show command I see in state NHRP and UP, trying to understand what is the difference ?

Hello Max

Under the State column of the output, if the tunnel is up, it will show UP. If the tunnel is down, it will show you the reason for the down state. It will display one of the following three things:

  • IKE
  • IPsec
  • NHRP

This indicates the reason for the error. NHRP indicates that there is a problem with the operation of NHRP.

More info can be found here:

I hope this has been helpful!


1 Like

Hello, everyone.

I am a little confused by some of the commands here.

ip nhrp map multicast dynamic: this command tells the hub router where to forward multicast packets to. Since the IP addresses of the spoke routers are unknown, we use dynamic to automatically add their IP addresses to the multicast destination list when the spokes register themselves.
ip nhrp map multicast: here we specify which destinations should receive broadcast or multicast traffic through the tunnel interface. The confusing part is that you have to enter the NBMA address here. We need this command since routing protocols like RIP, EIGRP and OSPF require multicast.
ip nhrp map: we use this on the spoke to create a static mapping for the hub’s tunnel address ( and the hub’s NBMA address ( This will be stored in the NHRP cache of the spoke router.

ip nhrp nhs: this is where we specify the NHRP server, our hub router.

The first 2 commands that confuse me are ip nhrp map multicast and ip nhrp map multicast dynamic. Why do we need to specify destinations which should receive broadcast and multicast traffic? We’ve built P2P GRE tunnels in the previous lessons and even ran an IGP over it, which means that a GRE tunnel supports multicast/broadcast by default, does it not?

Then there are the ip nhrp map, ip nhrp nhs

ip nhrp map maps the hub’s tunnel IP to its public IP.
ip nhrp nhs is to specify the NHRP server

These two feel a little redundant to me. The first one maps the hub’s (the NHRP server’s) tunnel IP to its public IP, but then we also have to configure who the NHRP server is? Didn’t we just technically do that?

And then again, there’s the tunnel destination command which also requires us to specify the IP of the hub router.

I don’t know, these 3 just keep mixing for me and they feel like they do the exact same thing.

Could someone please clear these problems up for me? Thank you :slight_smile:


Hello David

DMVPN does indeed use GRE as its underlying tunnel-creating mechanism, however, it also uses NHRP in order to dynamically resolve the next-hop router’s IP address. These commands are applied for the benefit of the operation of NHRP.

On the hub, we issue the ip nhrp map multicast dynamic command to tell the router to dynamically learn and map multicast sources to remote sites. When the hub receives multicast traffic, it will use NHRP to determine which remote sites are interested in the multicast group and then forward the multicast traffic only to those interested sites. If the command is not issued, the hub router will treat multicast traffic as unicast traffic, sending a copy to each remote site regardless of whether they have active receivers interested in the multicast group.

On the spoke, we issue the ip nhrp map multicast <ip_address> command where <ip_address> is that of the hub. This command essentially defines a mapping for multicast traffic, so that the spoke will send all multicast traffic to the hub. If the command is not issued, the spoke may send the multicast traffic to multiple hubs (if they exist) or it may even broadcast it over the entire network.

These commands essentially apply mappings that tell NHRP how to handle multicast traffic in a more efficient and correct manner.

I can see how these commands may seem somewhat redundant, however, they serve different purposes.

The ip nhrp map command maps the hub’s tunnel IP to its public IP. This defines the map[ping between the logical tunnel and the physical NBMA address of the hub. This is needed to perform address resolution to help spokes determe where to send NHRP requests.

The ip nhrp nhs command specifies the IP address of the NHRP server for NHRP registration of the spokes. The key here is that although it’s common for the hub router to also serve as the NHRP server, this is not always the case. In larger and more complex DMVPN deployments, you may choose to have a dedicated device other than the hub serve as the NHRP server. In that case, the IP address of the server and the IP address of the hub’s tunnel IP will be different.

I hope this has been helpful!


Hello Laz.

Thank you very much again for your great explanation, all is clear to me now :slight_smile:

I’ve one more question. What’s the use of the

tunnel key x

command in DMVPN? The OCG says that it helps identify the the DMVPN tunnel interface if multiple tunnel interfaces use the same tunnel source interfaces.

What does this mean? Have you got an example for this, please?

Thank you!


Hello David

The tunnel key command is used not only in DMVPN scenarios, but in all scenarios that use GRE tunnels. You can find out more about it at this lesson:

I hope this has been helpful!