DMVPN with VRF’s for the Internet interfaces and BGP

I’ve been playing with some different DMVPN configurations. In this scenario, I wanted the Internet facing interface to have a separate routing table, which I accomplished with a VRF. I also wanted to use a phase 2 DMVPN – which allows spokes to communicate directly to each other without having to send all traffic to the hub. The tricky part was getting the DMVPN tunnels to form over that interface. This is accomplished via the tunnel vrf command in the tunnel interface and specifying the vrf in the crypto keyring.

Here is my hub config:

Here is my spoke config:

One of the scenarios that I wanted to play with was having BGP dynamically create peers. However, my specific version of code doesn’t support dynamic BGP peers. If my code did support it, the BGP config would look something like:


I had an interesting idea. Having the hub’s and the spokes in the same BGP ASN. Having the DMVPN hubs act as BGP route reflectors and having the spoke connect to the hubs. As the hubs are route reflectors, they will propagate all routes about the spokes to all other spokes. In a DMVPN phase 2 scenario, this would allow the spokes to communicate next to each other as the spokes know about each other through BGP next-hop. I set it up in my lab and it actually works pretty well.

Here the BGP configuration from my hub:

Here is the BGP configuration from one of my spokes:

Here is the isakmp session status, BGP table, and trace route to a neighbor spoke from the DMVPN-SPOKE1-R4 spoke.

One way to make this scale, without manual intervention of having to add neighbor relationships in BGP would be to have the dynamic neighbor relations statement in the DMVPN hubs. In my lab set up, BGP works pretty well in a DMVPN environment.

November 26, 2013

Posted In: BGP, DMVPN, VRF

OpenNHRP is now available via RPM

After a LONG hiatus, I’m finally starting to work on my Open Source implementation of DMVPN, again. So far, I’ve started off by taking the OpenNHRP source code and building RPM files. I made no changes to the source code itself. Heck, I don’t even consider myself a developer. I just built the RPM binaries so that a person could build a DMVPN device without needing to have developer tools installed on the device itself. It should be a little more secure that way. :)

Currently, the RPM files are being built in a CentOS 6 x86_64 environment. However, if this is something that people like, I will entertain building the RPM’s for 32 bit environment or possibly deb packages for ubuntu / debian based environments.

The binary and source RPM’s are available right now! I’m still testing them to make sure everything is working properly.  You can get the package by installing the repository:

Have fun! I look forward to getting an open source of a DMVPN implementation up and running soon! Leave a comment if you have any comments or questions.

October 2, 2012

Posted In: DMVPN, Linux, Open Source Alternatives, OpenNHRP, RPM, System Administration, VPN