DMVPN
Encyclopedia
A Dynamic Multipoint Virtual Private Network is an enhancement of the virtual private network
(VPN) configuration process of Cisco IOS
-based routers. DMVPN prevents the need for pre-configured (static) IPsec
(Internet Protocol Security) peers in crypto-map configurations and ISAKMP (Internet Security Association and Key Management Protocol) peer statements. This feature of Cisco
IOS allows greater scalability over previous IPsec configurations. An IPsec tunnel
between two Cisco routers may be created on an as needed basis. Tunnels may be created between a spoke router and a hub router (VPN headend), or between spokes. This greatly alleviates the need for the hub to route data between spoke networks, as was common in a non-fully meshed frame relay
topology
.
es are typically static, such as at a corporate headquarters. DMVPN spoke IP addresses may be static, or dynamic. An example would be a DMVPN spoke router acting as a DHCP client on a DSL or cable
provider's network. The spoke router is configured with the hub's IP address, allowing it to connect when online. The hub router does not need to be configured with the IP addresses of the spoke routers. This allows many-spoke VPN routers to be deployed without the need to configure additional peers on the hub(s). In the past the configuration of the hub grew whenever a spoke VPN router was added to the ipsec network.
is used between the spokes and the hub, as well as other spokes. Cisco EIGRP, or OSPF routing protocols are commonly used for further scalability. DMVPN is considered by many engineers as superior to early dynamic ipsec technologies such as TED (tunnel endpoint discovery).
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
(VPN) configuration process of Cisco IOS
Cisco IOS
Cisco IOS is the software used on the vast majority of Cisco Systems routers and current Cisco network switches...
-based routers. DMVPN prevents the need for pre-configured (static) IPsec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
(Internet Protocol Security) peers in crypto-map configurations and ISAKMP (Internet Security Association and Key Management Protocol) peer statements. This feature of Cisco
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
IOS allows greater scalability over previous IPsec configurations. An IPsec tunnel
Tunneling protocol
Computer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
between two Cisco routers may be created on an as needed basis. Tunnels may be created between a spoke router and a hub router (VPN headend), or between spokes. This greatly alleviates the need for the hub to route data between spoke networks, as was common in a non-fully meshed frame relay
Frame relay
Frame Relay is a standardized wide area network technology that specifies the physical and logical link layers of digital telecommunications channels using a packet switching methodology...
topology
Topology
Topology is a major area of mathematics concerned with properties that are preserved under continuous deformations of objects, such as deformations that involve stretching, but no tearing or gluing...
.
Configuration details
A DMVPN Spoke is configured with one or more hub IP addresses. DMVPN hub IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es are typically static, such as at a corporate headquarters. DMVPN spoke IP addresses may be static, or dynamic. An example would be a DMVPN spoke router acting as a DHCP client on a DSL or cable
Cable modem
A cable modem is a type of network bridge and modem that provides bi-directional data communication via radio frequency channels on a HFC and RFoG infrastructure. Cable modems are primarily used to deliver broadband Internet access in the form of cable Internet, taking advantage of the high...
provider's network. The spoke router is configured with the hub's IP address, allowing it to connect when online. The hub router does not need to be configured with the IP addresses of the spoke routers. This allows many-spoke VPN routers to be deployed without the need to configure additional peers on the hub(s). In the past the configuration of the hub grew whenever a spoke VPN router was added to the ipsec network.
Internal routing
For internal routing, a dynamic routing protocolRouting protocol
A routing protocol is a protocol that specifies how routers communicate with each other, disseminating information that enables them to select routes between any two nodes on a computer network, the choice of the route being done by routing algorithms. Each router has a priori knowledge only of...
is used between the spokes and the hub, as well as other spokes. Cisco EIGRP, or OSPF routing protocols are commonly used for further scalability. DMVPN is considered by many engineers as superior to early dynamic ipsec technologies such as TED (tunnel endpoint discovery).
Summary
In summary, DMVPN is a frame-work technology, consisting of:- An IPsec profile, which is associated to a virtual tunnel interface in IOS software. Traffic sent via the tunnel is encrypted per the policy configured (IPsec transform set)
- Generic Routing EncapsulationGeneric Routing EncapsulationGeneric Routing Encapsulation is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol internetwork.-Overview:...
(GRE), or multipoint GRE if spoke-to-spoke tunnels are desired - NHRPNext Hop Resolution ProtocolNext Hop Resolution Protocol is sometimes used to improve the efficiency of routing computer network traffic over Non-Broadcast, Multiple Access Networks...
(next-hop resolution protocol), RFC 2332 - A dynamic routing protocol, DUANDuanDuan may refer to:* Duan , pre-state tribe during the era of Sixteen Kingdoms in China* Dan rank mark of level in Japanese martial arts* Lê Duẩn an original founder of the Indochinese Communist Party* Duan a Chinese surname...
, ODROn Demand RoutingOn-Demand Routing is an enhancement to Cisco Discovery Protocol , a protocol used to discover other Cisco devices on either broadcast or non-broadcast media....
, RIPRouting Information ProtocolThe Routing Information Protocol is a distance-vector routing protocol, which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15....
, EIGRP, OSPF, ISIS-ISIntermediate System To Intermediate System , is a routing protocol designed to move information efficiently within a computer network, a group of physically connected computers or similar devices....
IS, BGP