Home / Technology / DMVPN Overview

DMVPN Overview

What is it?

Dynamic Multipoint Virtual Private Network (DMVPN) is a proprietary VPN technology used to provide a scalable, resilient and secure hub and spoke solution.

What problem does it solve?

DMVPN is based on a hub and spoke WAN design with the capability to form spoke to spoke connection if desired. Allowing branch sites to communicate directly without having to pass through a central head office. The main reasons for using DMVPN are summarised below.

  • Scalability: when configuring VPN tunnels via the Cisco Command line, the configuration can become quite long this is compounded when you have 200-300 tunnels.
  • Dynamic Routing Protocols: Dynamic routing protocols rely on multicast packets in order to peer over broadcast based networks. IPSec will not encrypt multicast or broadcast traffic. To work around this limitation DMVPN uses mGRE to build tunnels between tunnel endpoints.
  • Dynamic IP Addresses Another key factor when setting up VPNs is that most small sites rely on an ADSL based connection, which will generally use a dynamic DHCP address each time they reconnect to the Internet.

In order for an IPSec and mGRE tunnel to establish the IP address of the peer device must be known. DMVPN works around this issue by setting the spoke with a static IP of the hub then using tunnel endpoint discovery when initiating the IPSec tunnel to the hub and then advised the hub of it’s IP address using NHRP

Key Components

  • Multipoint Generic Route Encapsulation (mGRE)
  • Next Hop Resolution Protocol (NHRP)
  • Internet Protocol Security (IPSec) encryption
  • Dynamic Routing Protocol (OSPF, EIGRP, BGP etc)

How does it work?

The important part is the multipoint element. mGRE differs from GRE in that GRE is purely point to point tunnel, mGRE allows point to multipoint tunnels. The big difference here is that with a GRE tunnel you would need to provision a new tunnel for every single connection, whereas with a multipoint you only need to use a single tunnel to connect to multiple peers.

Three types or phases of DMVPN exist each with different use cases

Phase 1

In phase 1 the hub operates with a mGRE endpoint and the spokes all run standard GRE tunnels. The main benefit of this version is a simplified configuration on the hub router with no need to define every spoke router. Additionally the spokes can dynamically register their public IP addresses with the hub. One additional benefit is that the hub can summarise a default route to all spokes while learning all of the spoke routes through the dynamic routing protocol.

Phase 2

Phase 2 provides the capability for spoke routers to communicate directly without first having to traverse the hub router. To do this all of the routers involved must run mGRE, In addition NHRP is used to allow spokes to initiate communication to other spokes by relaying the information from the hub. One limitation of Phase 2 is that every router needs to have full routing information. This means that no summarization can be performed, though this may be fine for most networks it does limit scalability.

Phase 3

Phase 3 follows on from where phase 2 left off by offering a scalable solution

Main Benefits of DMVPN

  • Smaller configuration on the hub – no spoke specific information
  • No change is required to the existing DMVPN when a new spoke is rolled out, instead the spoke registers with the hub to provide it’s information and Dynamic routing protocol then propogates the routing from the spoke to the hub
  • limited configuration on spoke devices

More Information

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html

About Stephen Ransome

Stephen Ransome is an IT consultant and network nerd with experience ranging from SMBs to Service Providers, he has a passion for learning new technologies and delivering solutions that count. He has some alphabet soup, including CCIE#41102 and is far more cynical than he should be.