Dynamic Multipoint VPN (DMVPN) technology allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (mGRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints.
DMVPN technology is a Cisco IOS Software solution for building scalable dynamic virtual tunnel between multiple branch locations over the internet. Dynamic Multipoint VPN (DMVPN) technology is blend of GRE, NHRP and IPsec.
DMVPN create a secure network and remote sites directly communicate and exchange data without connecting to HUB site.
DMVPN provide faster communication between remote sites, Cisco DMVPN allows branch locations to communicate directly with each other over the public WAN or Internet.
DMVPN is a combination of features that help reduce some of the complexities of communications between a HUB location and multiple branch locations. It uses multipoint GRE (mGRE) and Next-Hop Resolution Protocol (NHRP) to help create a HUB and spoke network topology.
Spoke-to-spoke tunnels are designed to be dynamic, in that they are created only when there is data traffic to use the tunnel and they are removed when there is no longer any data traffic using the tunnel.
DMVPN Design Components
- DMVPN Hub-to-Spoke – used to HUB site (Data Center) to Remote site communication.
- DMVPN Spoke-to-Spoke – Used to perform Remote site to Remote Site direct communication
DMVPN Technology Components
- Multipoint GRE (mGRE) – Tunnel Interface is used to allow a single GRE interface to support multiple tunnels and helps dramatically to simplify the complexity and size of the configuration.
- NHRP (Next Hop Resolution Protocol) – Layer 2 (Data link Layer) Protocol used to dynamically map Interface public IP Address of the other systems that are part of that network, allowing these systems to directly communicate.
- Dynamic Routing – DMVPN Support Dynamic Routing Protocol such as RIP, EIGRP, OSPF, BGP, etc.
- IPsec (not required but recommended) – DMVPN support IPsec IKE tunnel.
- Cisco Express Forwarding (CEF) – VRF aware DMVPN on the hubs to segregate customer traffic
DMVPN and mGRE (Multipoint GRE)
Normally a GRE tunnel have a point-to-point interface with a defined source IP and destination IP. Normal GRE tunnel would have to be multiple tunnel interfaces on the hub router for each of the spoke router.
DMVPN With mGRE (Multipoint GRE) tunnel, the HUB router only needs to have a single tunnel interface for multiple spoke router.
Multipoint GRE allows a single tunnel configuration to then dynamically form tunnels without the need of loads of ‘interface tunnel x’ in the configuration. It can take the configuration of the single interface and then use NHRP to dynamically form tunnels with other spoke router.
NHRP and DMVPN
NHRP is essential part of DMVPN technology. Next Hop Resolution Protocol (NHRP) leyer2 protocol work like Address Resolution Protocol (ARP) that dynamically maps spokes router in DMVPN Network.
NHRP is a client and server protocol where the hub is the Next Hop Server (NHS) and the spokes are the Next Hop Clients (NHCs). The hub maintains an NHRP database of the public interface addresses of each spoke.
Each spoke registers its real address when it boots and queries the NHRP database for real addresses of the destination spokes to build direct tunnels.
- DMVPN network HUB Router will be the NHRP server.
- All other routers or Spoke will be NHRP clients.
- All Spoke Router registered with the NHRP server and register their real IP address.
- The NHRP server maintain track of all Spokes public IP addresses in its cache.
- Like ARP, NHRP can have static and dynamic entries.
- On Demand tunnel, if router wants to establish tunnel with another router, it will request the NHRP server for the public IP address of the other router.
- Spoke dynamically registers its mapping with NHS Supports spokes with dynamic NBMA addresses or NAT
- Supports building dynamic spoke-to-spoke tunnels Control and IP Multicast traffic still through hub Unicast data traffic direct; reduced load on hub routers.
DMVPN Dynamic Tunnel
- Spokes have a dynamic permanent GRE/IPsec tunnel to the hub, but not to other spokes. They register as clients of the NHRP server.
- When a spoke needs to send a packet to a destination (private) subnet behind another spoke, it queries the NHRP server for the real (outside) address of the destination spoke.
- Now the originating spoke can initiate a dynamic GRE/IPsec tunnel to the target spoke (because it knows the peer address).
- The spoke-to-spoke tunnel is built over the mGRE interface
- Lowers capital and operational expenses – Reduces costs in integrating voice, video with VPN security
- Simplifies branch communications – Enables direct branch-to-branch connectivity for business applications like voice
- Improves business resiliency – Prevents disruption of business-critical applications and services by incorporating routing with standards-based IPsec technology
- Lower Administration Costs – DMVPN simple and robust wan technology, allowing the Administrator to quickly built network across the networks. DMVPN creating on demand dynamic tunnel as needed and keeping every router updated on the VPN network
- Support IPsec Security – Optionally, DMVPN can be used IPsec security to provide data encryption and confidentiality. DMVPN can run without encryption.
DMVPN is excellent choice for small and Enterprise networking to connect different Geo remote location over the internet.DMVPN is Large-scale scalable and secure connectivity with lots of features such as QoS, Voice, video, multicast and IP SLA