We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 549 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


299 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , , ,

Notable Replies

  1. Rene,

    When would we choose to use Phase 1, 2, or 3, and why? I understand the differences between the three, but do we gain any benefit from implementing one or the other that is noticeable to end users?

    It seems to me that perhaps allowing spoke routers to talk to each other may decrease latency in the real world, as they would not have to hop through the hub router, but other than that I'm not sure.



  2. Hi Patrick,

    The different versions are like an evolution of DMVPN. We don't really use phase 1 anymore unless you have a really good reason why you want to force all traffic through the hub (security perhaps?). Otherwise, it's more effective to allow spoke-to-spoke traffic.

    Both phase 2 and 3 allow spoke-to-spoke traffic, the advantage of phase 3 is that we use the "shortcuts" so you don't need specific entries anymore in the routing tables of the spoke routers. I can't think of any advantages right now that phase 2 has over phase 3 so if you implement this, you probably want to use phase 3.


  3. Hi Rene,

    Is this DMVPN works behind NAT like 3G/4G network?

    As i understand DMVPN need UDP port 500, 4500, GRE and ESP. Without port forwarding, it will still working?


  4. Davis,
    Technically, DMVPN and IPSec are independent of each other. However, since DMVPN doesn't provide any level of security (other than password authentication for Hubs/Spokes), people often pair it with IPSec when running on a public network. It shouldn't make a difference if your connection type happens to be 3/4G, DSL, or MPLS, for example. One of the benefits of DMVPN is its ability to allow just about any connection type--as long as the spokes and hub(s) have IP connectivity, DMVPN should work.

    DMVPN does work even when devices are behind a NAT. If you wanted to use IPSec with a DMVPN NAT environment, you would need to make sure the device performing the NAT supports NAT-T (UDP 4500), which is designed to allow IPSec to function through a NAT.

  5. Hi Andrew,

    I tested behind NAT in home router public IP, it works for DMVPN with and without IPSEC protection. Once i change WAN to 3G connection. The DMVPN is down.

    So i remove the IPSEC protection and only configure basic DMVPN, still not able to bring up the DMVPN. Since i don't use the IPSEC protection, so i should not care the NAT-T or UDP500 and ESP. What can be reason the DMVPN is not up?


Continue the discussion forum.networklessons.com

13 more replies