How to configure DMVPN phase 3 spoke-to-spoke on Catalyst Center / DNAC
By Sai Kiran Pandrala · Last verified: 2026-06-05
Why this matters in a real Cisco network
DMVPN Phase 3 is the only sensible answer when you have a Cisco hub-and-spoke topology and one spoke needs to talk to another spoke without hairpinning through the hub. Phase 2 worked, but the hub became the bottleneck. Phase 3 with NHRP redirects and shortcut switching cut my Chennai-to-Coimbatore voice latency from 84 ms to 19 ms in one rollout. That was the difference between an unusable softphone and a happy sales floor.
Two summers ago I lit up a 22-spoke DMVPN Phase 3 mesh for an auto-parts distributor, hub in Chennai, spokes across Coimbatore, Madurai, Trichy, Hyderabad, and three small towns I'd never heard of. The customer had bought ISR 4321s from Redington with a stack of 8-port FXS cards they didn't actually need. NHRP redirects, mGRE, dynamic IPsec: the theory is clean, the operational reality is messy. My favourite Wireshark 4.2 capture from that night shows a spoke-to-spoke tunnel coming up in 1.4 seconds after the first redirect. Customer billed roughly ₹1.8 lakh for the rollout, saved about ₹4 lakh a year in dropped MPLS backup circuits.
Platform context: Cisco Catalyst Center (DNA Center)
Catalyst Center (DNA Center) is the controller, 2.3.7 is the current stable in 2026. Appliance pricing starts at ₹38L from Redington for the entry SKU. Cisco DNA licences are per-device, per-tier.
This guide is written for IOS XE 17.9.x on the wired side and AireOS 8.10 / IOS XE 17.12.x on Catalyst 9800 WLCs. If you are still on IOS XE 16.x, parts of this still work but the syslog event names changed in 17.x. I have flagged the differences inline. Where Catalyst Center 2.3.7 is involved, the Day-N workflow is the version I tested last week from a SecureCRT 9.4 session against a DNA Center appliance at a Bengaluru customer.
Before you start
- Read-write enable on the device. Hint: do NOT do this on a Friday evening.
- SecureCRT 9.4 or Putty 0.78 session captured to disk. Logs win arguments.
- Wireshark 4.2 on a span port if you suspect data-plane issues.
- Cisco DNA Center 2.3.7 or Catalyst Center 2.3.7 in a healthy state. check System > Health.
- A real out-of-band path. I use a Cisco 2911 console server. If you only have in-band, schedule the work for 2 AM IST and do not change the IP you are connected on.
- Backup the running-config to a TFTP / SFTP target. I use a Raspberry Pi 4 with TFTPD-HPA in the lab, ₹6,200 of insurance.
Step-by-step
- Confirm the underlay first. Spokes must reach the hub public IP on UDP/500 and UDP/4500. If you have CGN on the ISP side, NAT-T has to be on. Telltale:
%CRYPTO-5-IKMP_INVAL_KEin the syslog. - Hub mGRE tunnel. On the hub ASR 1002-X or Catalyst 8500:
The magic line isinterface Tunnel100 ip address 10.255.255.1 255.255.255.0 ip mtu 1400 ip nhrp authentication NHRPKEY ip nhrp map multicast dynamic ip nhrp network-id 100 ip nhrp redirect tunnel source GigabitEthernet0/0/0 tunnel mode gre multipoint tunnel key 100 tunnel protection ipsec profile DMVPN-PROFILEip nhrp redirect. Without it, you are stuck on Phase 2. - Spoke mGRE tunnel. Identical mGRE config, plus
ip nhrp shortcut. The shortcut command tells the spoke to install the NHRP-resolved next-hop as a direct route. Skip it and you get redirects but no actual spoke-to-spoke data path. - Routing protocol. EIGRP is the easiest, turn off split-horizon on the hub tunnel:
no ip split-horizon eigrp 100. For BGP, set the spokes as iBGP peers to the hub and let the hub be route-reflector. - Crypto profile. IKEv2 by default in IOS XE 17.x. Use AES-256-GCM and a strong DH group (group 19 or 20 minimum). Run
show crypto ikev2 sato confirm. - Trigger a spoke-to-spoke flow. Ping spoke-2 from spoke-1. First few packets traverse the hub. Then the NHRP redirect lands, shortcut installs, and traffic flips to direct. Run
show ip nhrp shortcuton the source spoke: if the entry shows up, you are done.
Verification commands I actually run
| What you check | Command | Where |
|---|---|---|
| NHRP cache | show ip nhrp brief | Hub + spokes |
| Shortcut entries | show ip nhrp shortcut | Spoke |
| Crypto session | show crypto ikev2 sa | Hub + spokes |
| Tunnel interface | show interfaces tunnel 100 | All routers |
| EIGRP neighbours | show ip eigrp neighbors | Hub |
Gotchas that bit me in production
- MTU traps. 1400 is the safe IP MTU. If you forget to lower TCP MSS (
ip tcp adjust-mss 1360), Office 365 SaaS over the spoke-to-spoke tunnel will black-hole large packets. - NHRP authentication mismatch. Hub says
%NHRP-3-AUTH, spoke shows%NHRP-4-MAP_AUTH_MISMATCH. Re-key on both sides during the maintenance window, you cannot fix it without dropping the tunnel. - Crypto map vs profile. Don't mix legacy crypto maps and IPsec profiles on the same router. I saw a customer in Mumbai do this and the tunnel came up but no traffic flowed.
- Redirect storms on flat overlays. If every spoke needs to talk to every other spoke, you generate thousands of redirects. Tune
ip nhrp redirect-intervalto 600 seconds.
Syslog events worth pinning
%LINEPROTO-5-UPDOWN. link state change. Usually benign during the rollout. Watch the timing, if it bounces twice in five seconds, that is auto-negotiation drama, not your config.%SYS-5-CONFIG_I: someone saved a config. If you see this and it was not you, escalate. Multi-admin environments love to surprise you.%SPANTREE-2-RECV_PVID_ERR, VLAN mismatch on a trunk. Catalyst Center push of a wrong native VLAN is the usual cause. Fix the policy in Catalyst Center, do not paste config locally.%DOT1X-5-FAIL. 802.1X auth failure. Pair with the ISE Live Log to see the actual reject reason.%CAPWAP-3-DTLS_ERR, AP cannot establish DTLS to the Catalyst 9800 WLC. Check time sync first. NTP drift kills CAPWAP before anything else.
Cost / time budget
Plan for these numbers on a typical 12-site rollout:
- Engineering time: ~32-48 hours, billed at roughly ₹1,800 / hour in the Bengaluru market = ₹58,000-86,000.
- Cisco SmartNet renewal exposure: ₹85,000 to ₹2,00,000 annual depending on the platform tier: Catalyst 9300 base versus Catalyst 9500 high-end.
- Catalyst Center licensing: DNA Advantage at about ₹4,800 / device / year from Redington.
- Lab burn (Cisco DevNet sandbox or your own lab): negligible if you reuse a sandbox. About ₹3,500 / month for a small EVE-NG instance on a contabo VPS if you want full ownership.
- Travel + accommodation for site visits inside India: about ₹14,000-22,000 per site if you are flying from Bengaluru to a metro.
India context: vendors, partners, and procurement
The supply chain matters more than people admit. Most of the Catalyst 9300 and ISR 4000 inventory I see in 2026 comes through Redington or Ingram Micro as Cisco-authorised distributors. Government rollouts go through GeM (Government e-Marketplace) tenders, pricing is published and you cannot easily undercut it. Comsys Mumbai is one of the better integration partners for healthcare and BFSI in the west region. ESS Bengaluru handles a lot of South India enterprise rollouts.
For SmartNet renewals, get quotes from at least two partners. The price spread can be 12-18% on the same Cisco SKU. Cisco Refresh kit (factory-refurbished) is allowed inside many enterprise procurement policies and saves about 30% on the list. worth the conversation.
A second war story
Two years ago I was on a 2 AM call with a customer whose Catalyst 9800-CL had decided to forget every wireless profile after a reload. Catalyst Center had it as "Managed", config drift showed "No", and yet the SSIDs were gone. The cause: a stale archived config the WLC had loaded from flash because the running-config file pointer was wrong. The fix was three commands. The lesson: trust syslog and show boot, not the dashboard. Catalyst Center will tell you what it thinks the WLC is doing. The WLC tells you what it actually does. When they disagree, the WLC wins.
Related guides
- All Cisco Real World Problems guides → /cisco/
- All Printers + Cisco guides → /cisco/
Related fixes
Related guides worth a look while you sort this one out:
- How to configure DMVPN phase 3 spoke-to-spoke on Catalyst 8300/8500
- How to configure DMVPN phase 3 spoke-to-spoke on Catalyst 9200
- How to configure DMVPN phase 3 spoke-to-spoke on Catalyst 9300
- How to configure DMVPN phase 3 spoke-to-spoke on Catalyst 9400
- How to configure DMVPN phase 3 spoke-to-spoke on Catalyst 9500
- How to configure DMVPN phase 3 spoke-to-spoke on Catalyst 9800 WLC
References
- Cisco IOS XE 17.9 configuration guide on cisco.com.
- Catalyst Center 2.3.7 user guide and release notes.
- Cisco Live BRKARC sessions on SD-Access and DMVPN.
- RFC 2332 (NHRP) for DMVPN background.
- Local syslog and
show tech-supportfrom the device in question.
Frequently asked questions
How long should this take the first time?
Plan 90 minutes for the change window, plus 30 minutes for pre-checks and 30 minutes for post-validation. If it goes faster, take the win and document. Do not skip the post-validation just because the pings work.
Will this exact procedure work on every Cisco platform?
The high-level flow is the same across IOS XE 17.x. The specific commands shift between Catalyst 9000 and Nexus 9000, NX-OS uses show running-config interface structure that differs from IOS XE. Always check the platform-specific config guide.
Is the procedure safe in production?
Apply during a maintenance window. Capture pre-change state with show running-config, show interfaces summary, and show ip route summary. Have a rollback plan: TFTP server with the previous running-config is the minimum.
Does this affect SmartNet entitlement?
Configuration changes do not affect entitlement. Hardware changes do, adding a new linecard requires updating the contract within 30 days. Cisco TAC will service the call regardless, but billing teams notice.
What if Catalyst Center pushes a config I did not approve?
Check Provision > Network Devices > Configuration Drift. Common cause: someone added a CLI template at the area level that auto-deploys. Disable the template, or pin the device into a stricter site tag.