CiscoCCNPAdvanced RoutingIntermediate22 min read

What Is DMVPN Phase 1 in Networking?

Also known as: DMVPN Phase 1, Cisco DMVPN, DMVPN Phase 1 explained, DMVPN Phase 1 vs Phase 2, CCNP DMVPN

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

DMVPN Phase 1 is a way for branch offices to talk securely to a main office over the internet. Each branch creates one tunnel directly to the central hub. Branch offices cannot communicate directly with each other, but all branches can reach the hub and its resources. It is a simpler setup than later phases and works well for hub-and-spoke topologies.

Must Know for Exams

DMVPN Phase 1 is a specific topic in the Cisco CCNP Enterprise (350-401 ENCOR) and the CCNP Security (350-701 SCOR) exams, as well as the CCNP Advanced Routing (300-410 ENARSI) exam. In the ENARSI exam, DMVPN is part of the Layer 3 Technologies section, which covers advanced routing and VPN technologies. Candidates must understand the architectural differences between DMVPN phases, the role of NHRP, and how routing protocols behave over DMVPN tunnels.

Exam objectives require you to compare DMVPN Phase 1 with Phase 2 and Phase 3. You need to know that Phase 1 uses a static hub-and-spoke topology where all inter-spoke traffic must go through the hub. Questions often ask which phase is appropriate for a given scenario. For example, a scenario describing a company with 200 branch offices that only need access to a central data center would point to Phase 1. Knowing this distinction is critical for multiple-choice questions and for simulation questions.

Configuration questions may ask you to identify the correct tunnel mode for the hub and for the spoke. For the hub, the correct mode is mGRE (tunnel mode gre multipoint). For each spoke, it is point-to-point GRE (tunnel mode gre ip). A common exam question shows a partial configuration and asks you to select the missing command that would make it work correctly. You must know which side uses multipoint and which uses point-to-point.

Troubleshooting scenarios are also common. A question might describe a situation where spoke routers can ping the hub’s tunnel interface but cannot reach other spoke networks. The correct answer would explain that Phase 1 does not allow direct spoke-to-spoke communication, and that traffic must go through the hub. Another troubleshooting point involves NHRP registration failing: if a spoke cannot register with the hub, the tunnel stays down. Understanding NHRP registration and mapping is essential.

Finally, the exam may ask about scalability. Phase 1 scales well because each spoke only needs one tunnel, but the hub must handle all inter-spoke traffic. A question might ask you to identify the bottleneck in a large Phase 1 deployment, and the correct answer would be the hub router’s CPU and encryption performance.

Simple Meaning

Imagine you work for a company that has one big headquarters building and many small branch offices scattered across different cities. Every branch office needs to send reports, access files, and use the company’s internal software — all of which live at the headquarters. The problem is that each branch office gets its internet connection from a local provider, and their public IP addresses change frequently. You cannot just set up a static connection because the address keeps moving.

DMVPN Phase 1 is like giving each branch office a special, secure tunnel that always leads straight to the headquarters, no matter what address the branch is using. Think of it like a series of private, underground passageways from each branch to the main building. If a branch wants to send a message to another branch, it has to go through headquarters first — like routing all mail through a central post office before it reaches another local office. The key idea is that every branch has exactly one tunnel, and that tunnel goes only to the center.

This design is simple because the hub only needs to maintain one list of tunnels for all branches. Each branch only needs to know how to reach the hub, not every other branch. If a branch’s public IP changes, the tunnel reconnects automatically without any manual work. This makes DMVPN Phase 1 a very practical first step for companies that are growing and adding new branches, because adding a new branch just means configuring one new tunnel to the hub.

Full Technical Definition

DMVPN Phase 1 is a multipoint VPN architecture that uses mGRE (multipoint Generic Routing Encapsulation) tunnels combined with NHRP (Next Hop Resolution Protocol) and IPsec encryption. In Phase 1, the hub router is configured with a single mGRE tunnel interface that accepts connections from multiple spoke routers. Each spoke router, in contrast, is configured with a single p2p (point-to-point) GRE tunnel interface that connects only to the hub.

NHRP plays a critical role in Phase 1. When a spoke router comes online, it registers its real public IP address and its tunnel IP address with the NHRP server, which is the hub. The hub maintains a mapping table that correlates each spoke’s tunnel IP to its current public IP. Because spoke routers are configured with point-to-point tunnels, they do not have NHRP mappings for other spokes. Consequently, traffic between two spokes must travel through the hub. The hub forwards packets from one spoke to another using its own routing table and mGRE interface, which encapsulates the packet again for the destination spoke. This process is called hairpinning.

IPsec encryption is mandatory in production deployments to secure the GRE tunnels. In Phase 1, IPsec is typically applied using a crypto map on the physical interface or a tunnel protection profile. The hub router must handle encryption and decryption for all spoke-to-spoke traffic, which can create a bottleneck in large networks.

Routing protocols like EIGRP, OSPF, or BGP run over the tunnel interfaces. In Phase 1, the hub advertises routes for all spokes, and each spoke advertises only its own local networks. Because spokes do not have direct tunnels to each other, routing updates between spokes are not exchanged directly. The hub serves as the single point of redistribution. Dynamic routing allows the network to adapt if a spoke’s tunnel goes down, and NHRP handles the changes in public IP addresses seamlessly.

From a standards perspective, DMVPN Phase 1 is defined in RFC 6241 and relies on mGRE (RFC 2784), NHRP (RFC 2332), and IPsec (RFC 4301). Cisco first introduced DMVPN in IOS 12.2(8)T, and Phase 1 remains fully supported in current Cisco IOS, IOS-XE, and even in some SD-WAN implementations for legacy integration.

Real-Life Example

Think of a large university campus with one main library in the center and several smaller branch libraries around the city. Every branch library has its own phone number that changes every few months because the phone company reassigns numbers. The main library wants each branch to be able to call and ask for interlibrary loans, but the branches do not need to call each other directly. They just need to talk to the main library.

DMVPN Phase 1 is like setting up a direct phone line from each branch library to the main library. Each branch gets one dedicated phone line, and when the branch’s phone number changes, the phone company automatically redirects calls to the new number without anyone having to reprogram the system. The main library has a single phone console that can answer all the branch lines. If the East Branch needs a book that the West Branch has, the East Branch calls the main library, and the main library staff calls the West Branch to request the book, then calls East Branch back with the result. All communication goes through the main library.

This maps to DMVPN Phase 1 directly. The main library is the hub router, each branch library is a spoke router. The dedicated phone line is the point-to-point GRE tunnel. The automatic number redirection is NHRP registering the new public IP. The main library calling the West Branch on behalf of East Branch is the hairpinning process where packets go through the hub. This analogy shows the simplicity of Phase 1: it works well when most traffic is between branches and the hub, and there is little need for direct branch-to-branch communication.

Why This Term Matters

DMVPN Phase 1 matters because it solves a common real-world problem: connecting many remote sites to a central location without expensive MPLS circuits. For companies with dozens or hundreds of branch offices, leasing dedicated private WAN links is cost-prohibitive. Using the internet with DMVPN Phase 1 provides a secure, encrypted connection at a fraction of the cost.

From a practical standpoint, Phase 1 is easy to deploy and troubleshoot. Each spoke router needs only a simple configuration pointing to the hub. This reduces human error when adding new branches. The hub router is the only device that must handle complex multipoint configurations. For network operations teams, this means fewer configuration changes and lower risk of misconfiguration.

Network performance is another reason Phase 1 matters. When most traffic is hub-centric such as accessing centralized servers, databases, or cloud applications the hairpinning through the hub does not create a problem. The hub router often has higher processing power and can handle the encryption overhead for all spoke traffic. In environments where branch-to-branch traffic is rare, Phase 1 is optimal.

Security is also a key factor. All tunnels are encrypted with IPsec, protecting data as it crosses the public internet. Because spoke routers only have a tunnel to the hub, the attack surface is minimized. If a spoke router is compromised, it cannot directly reach other spokes. The hub can enforce security policies on all traffic passing through it.

Finally, DMVPN Phase 1 is the foundation for understanding later phases. Network engineers who master Phase 1 can more easily grasp Phase 2 (spoke-to-spoke on-demand tunnels) and Phase 3 (full mesh with NHRP shortcuts). Many enterprise networks still run Phase 1 for legacy systems or for sites that do not need direct spoke-to-spoke connectivity.

How It Appears in Exam Questions

In Cisco certification exams, DMVPN Phase 1 appears in several question formats. The first format is the compare-and-contrast multiple-choice question. For example: Which DMVPN phase allows spoke-to-spoke tunnels to be built dynamically, while Phase 1 requires all inter-spoke traffic to go through the hub? The answer would be Phase 2 or Phase 3, depending on the options. Another question might ask: Which DMVPN phase is best suited for a hub-and-spoke topology where branches never need to communicate directly with each other? The correct answer is Phase 1.

Configuration questions are also common. You might see a partial configuration for a spoke router like this:

interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 192.168.1.1 tunnel mode gre ip

The question might ask: This configuration is correct for which DMVPN phase? The answer is Phase 1 because the tunnel mode is point-to-point and a static destination is configured. Another configuration question might show the hub router with tunnel mode gre multipoint and ask: What additional configuration is required on the hub to accept registrations from spokes? The answer would be ip nhrp network-id and, optionally, ip nhrp authentication.

Troubleshooting questions often present a scenario where spoke A can reach the hub, spoke B can reach the hub, but spoke A cannot reach spoke B. The question asks for the most likely cause. The correct answer is that DMVPN Phase 1 does not support direct spoke-to-spoke communication. Alternatively, a question might show that the hub is not forwarding traffic between spokes, and the solution is to ensure that the hub has a route to the spoke’s network and that IP routing is enabled on the hub’s tunnel interface.

Architecture design questions are also frequent. You may be asked: A company has 50 branch offices, all of which need to access a central ERP system at headquarters. No branch ever needs to communicate with another branch. Which DMVPN phase is most appropriate? The answer is Phase 1. Another design question might ask: What is the primary disadvantage of using DMVPN Phase 1 in a network where branches frequently exchange files with each other? The answer is that all inter-branch traffic must traverse the hub, causing latency and increasing load on the hub.

Performance and scalability questions round out the exam coverage. A question might ask: In a DMVPN Phase 1 deployment with 300 spokes, which component is most likely to become a bottleneck? The answer is the hub router’s encryption engine, because it must encrypt and decrypt all inter-spoke traffic. Finally, NHRP-specific questions ask about the registration process, the NHRP mapping table, and what happens when a spoke’s public IP changes.

Study enarsi

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A retail company called ShopFast operates one central warehouse in Chicago and 40 retail stores across the Midwest. Each store has a point-of-sale system that must send sales data to the warehouse’s inventory server every night. No store ever needs to talk directly to another store. The stores are connected to the internet through local ISPs, and their public IP addresses change sporadically.

The company decides to use DMVPN Phase 1. The warehouse router is configured as the hub with a multipoint GRE tunnel. Each store router is configured as a spoke with a single point-to-point GRE tunnel pointing to the warehouse. When a store’s public IP changes, NHRP automatically updates the mapping on the hub, so the tunnel stays up without any manual reconfiguration. Sales data flows securely from each store to the warehouse through IPsec-encrypted tunnels.

One day, the store in Omaha needs to send a large inventory update while the store in Des Moines is also sending data. Both tunnels carry traffic through the same hub router. The hub router must encrypt and decrypt both streams, plus route the packets to the correct internal server. Because Phase 1 hairpins all traffic through the hub, the warehouse router’s CPU utilization increases, but it still handles the load because the traffic volume is moderate. If ShopFast later decides to let stores share inventory directly with each other, they would need to upgrade to DMVPN Phase 2 or Phase 3. For now, Phase 1 meets their needs perfectly with minimal complexity.

Common Mistakes

Thinking that DMVPN Phase 1 allows spoke routers to communicate directly with each other without going through the hub.

In Phase 1, each spoke has only a point-to-point tunnel to the hub. There are no tunnels between spokes, so direct spoke-to-spoke communication is impossible. All inter-spoke traffic must be routed through the hub.

Understand that Phase 1 is strictly hub-and-spoke. If direct spoke-to-spoke communication is needed, you need to use Phase 2 or Phase 3.

Configuring the spoke router with a multipoint GRE tunnel instead of a point-to-point GRE tunnel.

In Phase 1, the hub uses mGRE, but each spoke should use point-to-point GRE (tunnel mode gre ip). Using mGRE on the spoke with a static destination would not work correctly because the spoke would try to use NHRP for multiple destinations, which is unnecessary.

Always configure the spoke with tunnel mode gre ip and specify the hub's public IP as the tunnel destination. The hub should be the only device using tunnel mode gre multipoint.

Believing that DMVPN Phase 1 provides automatic spoke-to-spoke failover if the hub goes down.

If the hub router fails in Phase 1, all spoke tunnels go down because every tunnel terminates on the hub. There is no mechanism for spokes to communicate directly as a backup.

Implement hub redundancy using dual hubs with HSRP or separate DMVPN Phase 1 networks. Without the hub, spoke-to-spoke communication is impossible.

Assuming that adding a new spoke requires changes on every existing spoke router.

Because each spoke only has a tunnel to the hub, adding a new spoke only requires configuration on the new spoke and a small update on the hub (like adding the spoke's network to a routing policy). Existing spokes need no changes.

Remember the scalability advantage: Phase 1 is easy to scale because the hub manages all mappings, and spokes are independent of each other.

Confusing NHRP registration with IGP neighbor formation in DMVPN Phase 1.

NHRP registration happens at Layer 3 to map tunnel IPs to real IPs. The IGP (like EIGRP or OSPF) runs over the tunnel interfaces separately. NHRP registration must complete successfully before the IGP can form adjacencies across the tunnel.

Treat NHRP as the address resolution step that must happen first. If the spoke does not register with the hub, the IGP adjacency will never form.

Exam Trap — Don't Get Fooled

An exam question shows a topology where both the hub and the spoke are configured with tunnel mode gre multipoint, and the spoke still works. The candidate might think this is a valid Phase 1 configuration. Always remember the rule: In Phase 1, only the hub uses multipoint GRE.

Spokes use point-to-point GRE. If you see a configuration in the exam where the spoke has tunnel mode gre multipoint, recognize it as incorrect for Phase 1. The spoke might function in a limited way, but it violates the Phase 1 design and will not work properly in a real deployment.

Commonly Confused With

DMVPN Phase 1vsDMVPN Phase 2

In Phase 2, spoke routers can build direct tunnels to each other on demand for traffic that does not need to go through the hub. Phase 1 requires all inter-spoke traffic to pass through the hub. Phase 2 uses mGRE on both hub and spokes, and NHRP shortcut switching enables dynamic spoke-to-spoke tunnels.

With Phase 1, if Chicago wants to talk to Omaha, the data goes Chicago to Hub to Omaha. With Phase 2, Chicago and Omaha can build a direct encrypted tunnel between them, bypassing the hub for faster communication.

DMVPN Phase 1vsDMVPN Phase 3

Phase 3 is similar to Phase 2 but uses NHRP redirects instead of shortcuts. In Phase 3, the hub sends a redirect message to a spoke when it forwards traffic for a destination that is reachable via another spoke. The spoke then builds a direct tunnel using that redirect. Phase 3 is more efficient for large networks because it reduces the number of NBMA mappings on the hub.

In Phase 2, the hub advertises routes for all spoke networks. In Phase 3, the hub sends a redirect only when necessary, similar to how ICMP redirects work in Ethernet networks. This reduces the hub’s routing table size in very large deployments.

DMVPN Phase 1vsIPsec VPN Site-to-Site

A traditional site-to-site IPsec VPN is static: both endpoints must know each other’s public IP addresses, and the tunnel is always active. DMVPN Phase 1 uses mGRE and NHRP to handle dynamic public IP addresses on spokes. DMVPN also supports dynamic routing protocols over the tunnel, which a static site-to-site IPsec VPN does not natively support.

If a branch office changes its IP address, a static IPsec VPN breaks until an administrator updates the configuration. With DMVPN Phase 1, the branch’s NHRP registration updates the hub automatically, and the tunnel reestablishes without manual intervention.

Step-by-Step Breakdown

1

Spoke router boots and starts its tunnel interface

The spoke router brings up its point-to-point GRE tunnel interface. The tunnel source is the spoke’s physical interface (like GigabitEthernet0/0), and the tunnel destination is the hub’s public IP address. At this point, the tunnel is in a down state because no NHRP registration has occurred yet.

2

Spoke sends NHRP Registration Request to the hub

The spoke constructs an NHRP Registration Request packet that includes its tunnel IP address (e.g., 10.0.0.2) and its real public IP address (e.g., 203.0.113.5). This packet is sent to the hub’s tunnel IP address. The hub receives it on its mGRE tunnel interface.

3

Hub processes the registration and updates its NHRP mapping table

The hub’s NHRP server component checks the registration request for authentication (if configured). If valid, it adds an entry to its mapping table that associates the spoke’s tunnel IP with its real public IP. The hub then sends an NHRP Registration Reply back to the spoke, confirming success. The tunnel on the spoke transitions to the up/up state.

4

Dynamic routing protocol establishes adjacency over the tunnel

With the tunnel up, the IGP (EIGRP, OSPF, or BGP) running on both routers can form a neighbor adjacency. The spoke advertises its local networks (e.g., the store’s LAN subnet) to the hub. The hub advertises all known networks, including routes to other spokes, back to the spoke. The spoke now has a route to all other spoke networks via the hub’s tunnel IP.

5

Data flows from spoke to spoke through the hub (hairpinning)

When a spoke wants to send traffic to another spoke’s network, it looks up its routing table. The route points to the hub’s tunnel IP as the next hop. The spoke encapsulates the packet in GRE and IPsec, using its own public IP as source and the hub’s public IP as destination. The hub receives it, decapsulates the packet, and checks its routing table. The hub then re-encapsulates the packet with the destination spoke’s public IP and forwards it. This hairpinning adds latency but is inherent to Phase 1.

Practical Mini-Lesson

DMVPN Phase 1 is a practical, production-ready technology that you will encounter in many enterprise networks. When you deploy it, the first decision is whether Phase 1 is appropriate for your traffic patterns. If most communication is between branch offices and a central data center, Phase 1 is a strong candidate. If branches need to talk to each other frequently, consider Phase 2 or Phase 3.

Configuration starts with the hub. On the hub, you create a tunnel interface with tunnel mode gre multipoint. You assign an IP address from a private range (like 10.0.0.1/24). You set a tunnel source (the hub’s public interface). You enable NHRP with ip nhrp network-id, and optionally ip nhrp authentication for security. You then configure IPsec to protect the tunnel, typically using tunnel protection ipsec profile. Finally, you configure your dynamic routing protocol over the tunnel interface.

For each spoke, the configuration is simpler. Create a point-to-point GRE tunnel interface (tunnel mode gre ip). Assign a unique tunnel IP, like 10.0.0.2/24 for the first spoke. Set the tunnel source to the spoke’s public interface. Set the tunnel destination to the hub’s public IP address. Configure NHRP with the same network-id and authentication string. Enable IPsec in the same way. Then configure the IGP to advertise the spoke’s local networks.

What can go wrong? The most common issue is that the tunnel does not come up. Check that the spoke can reach the hub’s public IP (ping it). Verify that NHRP is configured with matching network-ids. If authentication is used, both sides must match exactly. Also ensure that IPsec parameters match, such as pre-shared keys or certificates. Another issue is routing: if the hub does not have a route to a spoke’s network, hairpinning fails. Use show ip route on the hub to verify that all spoke networks are in the routing table. On the spoke, use show dmvpn to see the NHRP mappings and tunnel status.

DMVPN Phase 1 connects to broader concepts like dynamic routing, encryption, and tunneling. It is often used alongside MPLS or SD-WAN to create hybrid WAN architectures. Understanding Phase 1 gives you a solid foundation for advanced VPN technologies and network automation, since DMVPN configurations are highly scriptable with tools like Ansible or Python.

Memory Tip

One tunnel per spoke, all roads lead to the hub.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Can I use DMVPN Phase 1 with IPv6?

Yes, DMVPN Phase 1 supports IPv6. The tunnel interfaces can carry IPv6 traffic, and NHRP supports IPv6 address registration. However, most production deployments still use IPv4 for DMVPN, and IPv6 support may require additional configuration.

What happens if the hub router goes down in Phase 1?

All spoke tunnels will go down because every tunnel terminates on the hub. There is no way for spokes to communicate directly. To provide redundancy, you can deploy a second hub with a separate DMVPN Phase 1 network, or use HSRP to create a virtual hub IP.

Is DMVPN Phase 1 still relevant today with SD-WAN becoming popular?

Yes, many enterprises still run Phase 1 for smaller sites or legacy environments. SD-WAN often replaces DMVPN in new deployments, but Phase 1 remains a supported and tested solution, especially in networks that do not need advanced traffic engineering.

Do I need a static public IP on the hub for Phase 1 to work?

Yes, the hub should have a static public IP address or a stable DNS name that resolves to a static address. Spokes need to know the hub’s destination address to form the tunnel. If the hub’s IP changes, all spokes lose connectivity until they are updated.

Can I mix Phase 1 and Phase 2 spokes under the same hub?

Technically, yes, but it is not recommended because the behavior differs. Phase 1 spokes expect to hairpin through the hub, while Phase 2 spokes may try to build direct tunnels. This can cause routing inconsistencies. Best practice is to use the same phase for all spokes on a single hub.

How does DMVPN Phase 1 handle MTU issues?

GRE and IPsec add overhead, which can cause fragmentation. Most configurations set ip mtu 1400 and ip tcp adjust-mss 1360 on the tunnel interface to avoid fragmentation issues. This ensures that packets stay within the path MTU.

Summary

DMVPN Phase 1 is a Cisco VPN technology that creates a secure, hub-and-spoke network over the internet. Each branch office (spoke) has one point-to-point tunnel to the central hub, and all inter-spoke traffic must pass through the hub. This design is simple to configure, easy to scale, and automatically adapts when spoke public IP addresses change, thanks to NHRP.

Phase 1 is ideal for networks where most traffic flows between branches and a centralized data center, and direct branch-to-branch communication is not required. For CCNP exams, remember that the hub uses mGRE, spokes use point-to-point GRE, and that NHRP registration is essential for tunnel establishment. Common exam traps include confusing Phase 1 with later phases, misconfiguring the tunnel mode on spokes, and forgetting that Phase 1 does not support direct spoke-to-spoke tunnels.

Mastering DMVPN Phase 1 builds a strong foundation for understanding advanced routing, VPNs, and enterprise WAN design.