DMVPN Phase 2: Enabling Spoke-to-Spoke Communication

While Phase 1 of DMVPN offers a functional hub-and-spoke topology, it suffers from a major limitation: all inter-spoke communication must traverse the hub, which can become a bottleneck and introduce latency. DMVPN Phase 2 solves this issue by enabling direct spoke-to-spoke tunnels. In this phase, the hub still distributes routing updates, but once two spokes identify a need to communicate, they dynamically establish a direct tunnel between each other using NHRP (Next Hop Resolution Protocol).

Key Characteristics of Phase 2

In Phase 2, the router forwards traffic based on the FIB (Forwarding Information Base) using Cisco Express Forwarding (CEF). Unlike Phase 1, where all traffic must pass through the hub, Phase 2 allows spoke-to-spoke sessions to be built dynamically after the initial resolution phase. The hub’s role becomes lightweight: it is only responsible for propagating routing updates and answering initial NHRP requests.

Spoke-to-Spoke Tunnel Establishment

The spoke-to-spoke communication process begins as follows:

1. Spoke 1 detects a need to reach Spoke 2 and sends an NHRP resolution request to the hub.
2. The hub relays this request to Spoke 2.
3. Spoke 2 responds directly to Spoke 1 with an NHRP reply, providing its public IP address.
4. Spoke 1 and Spoke 2 then dynamically establish a tunnel between them, bypassing the hub for data traffic.

This model enables optimal routing by eliminating the hub from the data path. However, it also introduces a trade-off: the hub loses visibility and control over the traffic flows.

The no ip next-hop-self eigrp command is a critical differentiator for Phase 2. It ensures that the next-hop address learned by spokes is that of the remote spoke, not the hub, which is necessary for direct spoke-to-spoke forwarding.

router eigrp 123
network 172.16.1.0
network 192.168.0.0

crypto isakmp key cisco123 address 0.0.0.0

The ip nhrp holdtime sets the NHRP registration timer to 600 seconds (10 minutes), while ip nhrp registration no-unique allows spokes with changing IPs to re-register without waiting for the previous entry to time out.

router eigrp 123
network 172.16.1.0
network 192.168.0.0

crypto isakmp key cisco123 address 0.0.0.0

How Long Do Spoke-to-Spoke Tunnels Last?

Spoke-to-spoke tunnels are not permanent. Their lifetime is controlled by NHRP timers and IPSec SA lifetimes. By default, NHRP entries last 2 hours, while IPSec tunnels may expire after 1 hour. Admins can reduce this duration, commonly to 10 minutes, by modifying ip nhrp holdtime.

Phase 2 Challenges and Limitations

Despite offering optimal routing, DMVPN Phase 2 introduces several potential issues:

• Invalid CEF Adjacency: Since dynamic tunnels are ephemeral, CEF may have incomplete adjacency information at times, leading to suboptimal performance.
• No Prefix Summarization: Direct spoke-to-spoke routing requires exact IP entries in the routing table. This means summarization cannot be used, increasing routing table size and complexity.
• OSPF Limitations: OSPF doesn’t scale well in a DMVPN Phase 2 environment. Designated Routers (DRs) must reside on the hub, and only two hubs are supported due to OSPF’s strict DR/BDR election rules. Additionally, OSPF has trouble scaling past 50 routers in a single area, making it a poor fit for large hub-and-spoke topologies.

Phase 2 strikes a balance between efficiency and control. It significantly reduces the burden on the hub while allowing dynamic peer-to-peer communication between spokes. Still, these benefits come with increased complexity and certain routing protocol limitations, especially when using OSPF. Organizations requiring tight routing control or full hub visibility may need to evaluate whether Phase 2’s trade-offs are acceptable or consider the more flexible Phase 3 architecture.