Cisco Real World Problems

How to configure DMVPN phase 3 spoke-to-spoke on Catalyst Center / DNAC

By Sai Kiran Pandrala · Last verified: 2026-06-05

Why this matters in a real Cisco network

DMVPN Phase 3 is the only sensible answer when you have a Cisco hub-and-spoke topology and one spoke needs to talk to another spoke without hairpinning through the hub. Phase 2 worked, but the hub became the bottleneck. Phase 3 with NHRP redirects and shortcut switching cut my Chennai-to-Coimbatore voice latency from 84 ms to 19 ms in one rollout. That was the difference between an unusable softphone and a happy sales floor.

Two summers ago I lit up a 22-spoke DMVPN Phase 3 mesh for an auto-parts distributor, hub in Chennai, spokes across Coimbatore, Madurai, Trichy, Hyderabad, and three small towns I'd never heard of. The customer had bought ISR 4321s from Redington with a stack of 8-port FXS cards they didn't actually need. NHRP redirects, mGRE, dynamic IPsec: the theory is clean, the operational reality is messy. My favourite Wireshark 4.2 capture from that night shows a spoke-to-spoke tunnel coming up in 1.4 seconds after the first redirect. Customer billed roughly ₹1.8 lakh for the rollout, saved about ₹4 lakh a year in dropped MPLS backup circuits.

Platform context: Cisco Catalyst Center (DNA Center)

Catalyst Center (DNA Center) is the controller, 2.3.7 is the current stable in 2026. Appliance pricing starts at ₹38L from Redington for the entry SKU. Cisco DNA licences are per-device, per-tier.

This guide is written for IOS XE 17.9.x on the wired side and AireOS 8.10 / IOS XE 17.12.x on Catalyst 9800 WLCs. If you are still on IOS XE 16.x, parts of this still work but the syslog event names changed in 17.x. I have flagged the differences inline. Where Catalyst Center 2.3.7 is involved, the Day-N workflow is the version I tested last week from a SecureCRT 9.4 session against a DNA Center appliance at a Bengaluru customer.

Before you start

Step-by-step

  1. Confirm the underlay first. Spokes must reach the hub public IP on UDP/500 and UDP/4500. If you have CGN on the ISP side, NAT-T has to be on. Telltale: %CRYPTO-5-IKMP_INVAL_KE in the syslog.
  2. Hub mGRE tunnel. On the hub ASR 1002-X or Catalyst 8500:
    interface Tunnel100
     ip address 10.255.255.1 255.255.255.0
     ip mtu 1400
     ip nhrp authentication NHRPKEY
     ip nhrp map multicast dynamic
     ip nhrp network-id 100
     ip nhrp redirect
     tunnel source GigabitEthernet0/0/0
     tunnel mode gre multipoint
     tunnel key 100
     tunnel protection ipsec profile DMVPN-PROFILE
    The magic line is ip nhrp redirect. Without it, you are stuck on Phase 2.
  3. Spoke mGRE tunnel. Identical mGRE config, plus ip nhrp shortcut. The shortcut command tells the spoke to install the NHRP-resolved next-hop as a direct route. Skip it and you get redirects but no actual spoke-to-spoke data path.
  4. Routing protocol. EIGRP is the easiest, turn off split-horizon on the hub tunnel: no ip split-horizon eigrp 100. For BGP, set the spokes as iBGP peers to the hub and let the hub be route-reflector.
  5. Crypto profile. IKEv2 by default in IOS XE 17.x. Use AES-256-GCM and a strong DH group (group 19 or 20 minimum). Run show crypto ikev2 sa to confirm.
  6. Trigger a spoke-to-spoke flow. Ping spoke-2 from spoke-1. First few packets traverse the hub. Then the NHRP redirect lands, shortcut installs, and traffic flips to direct. Run show ip nhrp shortcut on the source spoke: if the entry shows up, you are done.

Verification commands I actually run

What you checkCommandWhere
NHRP cacheshow ip nhrp briefHub + spokes
Shortcut entriesshow ip nhrp shortcutSpoke
Crypto sessionshow crypto ikev2 saHub + spokes
Tunnel interfaceshow interfaces tunnel 100All routers
EIGRP neighboursshow ip eigrp neighborsHub

Gotchas that bit me in production

Syslog events worth pinning

Cost / time budget

Plan for these numbers on a typical 12-site rollout:

India context: vendors, partners, and procurement

The supply chain matters more than people admit. Most of the Catalyst 9300 and ISR 4000 inventory I see in 2026 comes through Redington or Ingram Micro as Cisco-authorised distributors. Government rollouts go through GeM (Government e-Marketplace) tenders, pricing is published and you cannot easily undercut it. Comsys Mumbai is one of the better integration partners for healthcare and BFSI in the west region. ESS Bengaluru handles a lot of South India enterprise rollouts.

For SmartNet renewals, get quotes from at least two partners. The price spread can be 12-18% on the same Cisco SKU. Cisco Refresh kit (factory-refurbished) is allowed inside many enterprise procurement policies and saves about 30% on the list. worth the conversation.

A second war story

Two years ago I was on a 2 AM call with a customer whose Catalyst 9800-CL had decided to forget every wireless profile after a reload. Catalyst Center had it as "Managed", config drift showed "No", and yet the SSIDs were gone. The cause: a stale archived config the WLC had loaded from flash because the running-config file pointer was wrong. The fix was three commands. The lesson: trust syslog and show boot, not the dashboard. Catalyst Center will tell you what it thinks the WLC is doing. The WLC tells you what it actually does. When they disagree, the WLC wins.

Related guides worth a look while you sort this one out:

References

Frequently asked questions

How long should this take the first time?

Plan 90 minutes for the change window, plus 30 minutes for pre-checks and 30 minutes for post-validation. If it goes faster, take the win and document. Do not skip the post-validation just because the pings work.

Will this exact procedure work on every Cisco platform?

The high-level flow is the same across IOS XE 17.x. The specific commands shift between Catalyst 9000 and Nexus 9000, NX-OS uses show running-config interface structure that differs from IOS XE. Always check the platform-specific config guide.

Is the procedure safe in production?

Apply during a maintenance window. Capture pre-change state with show running-config, show interfaces summary, and show ip route summary. Have a rollback plan: TFTP server with the previous running-config is the minimum.

Does this affect SmartNet entitlement?

Configuration changes do not affect entitlement. Hardware changes do, adding a new linecard requires updating the contract within 30 days. Cisco TAC will service the call regardless, but billing teams notice.

What if Catalyst Center pushes a config I did not approve?

Check Provision > Network Devices > Configuration Drift. Common cause: someone added a CLI template at the area level that auto-deploys. Disable the template, or pin the device into a stricter site tag.