What is DMVPN?

Dynamic multipoint virtual private network is DMVPN; it is a secure network that exchanges data between sites/routers without passing traffic through an organization's virtual private network (VPN) server or router, located at its headquarters. A DMVPN allows organizations to build a VPN network with multiple sites, without the need to configure devices statically. VPNs connect each remote site to the company headquarters. A DMVPN creates a mesh VPN topology.

 

DMVPN is a new tech for us, and we could know more about it.

 

1)How DMVPN works

With DMVPN, branch locations can communicate using the same resources via a public WAN or internet connection. A DMVPN runs on VPN routers and firewall concentrators. Each remote site has a router configured to connect to the company headquarters' VPN hub.

 

When two spokes exchange data -- for a Voice over IP call, for example -- one spoke will contact the hub, obtain the necessary information about the second spoke, and create a dynamic IPsec VPN tunnel between them. The spokes don't utilize a permanent VPN connection; instead they communicate through a centralized hub-and-spoke model that can apply VPN protection and granular access controls as required.

 

DMVPN also supports encryption via IPsec. These features make DMVPN a popular topology for connecting sites/branches via the internet.

 

2)What are the Components of DMVPN?

DMVPN consists of four key components.

Component one: Multipoint GRE tunnel interfaces

For an enterprise network where sites need to connect, internet connections with multiple GRE tunnel interfaces can get messy and be difficult to scale. DMVPN and multipoint GRE (mGRE) allow a business to add multiple destinations, with only one tunnel interface on each router.

Essentially, mGRE features a single GRE interface on each router with the possibility of multiple destinations. This interface secures multiple IPsec tunnels and reduces the overall scope of the DMVPN configuration.

 

Component two: NHRP

The NHRP can deploy spokes with assigned IP addresses. These spokes can be connected from the central DMVPN hub. This protocol is required by one branch router to find the public IP address of the second branch router. NHRP uses a "server-client" model, where one router functions as the NHRP server, while the other routers are the NHRP clients. In the multipoint GRE/DMVPN topology, the hub router is the NHRP server and all other routers are the spokes. Each client registers with the server and reports its public IP address, which the server tracks in its cache.

 

Component three: IPsec Tunnel Endpoint Discovery

Tunnel Endpoint Discovery (TED) allows routers to automatically discover IPsec endpoints, so that static crypto maps between individual IPsec tunnel endpoints need not be configured. TED allows endpoints or peers to dynamically and proactively initiate the negotiation of IPsec tunnels to discover unknown peers.

These remote peers do not need to have TED configured to be discovered by inbound TED probes. So, while configuring TED, VPN devices that receive TED probes on interfaces -- that are not configured for TED -- can negotiate a dynamically initiated tunnel using TED.

 

Component four: Routing protocols

Routing protocols enable the DMVPN to find routes between different endpoints efficiently and effectively. To build a scalable and stable DMVPN, it's important to choose the right routing protocol. One option is to use Open Shortest Path First (OSPF) as the interior routing protocol. OSPF is best suited for small-scale DMVPN deployments.

 

3)DMVPN’s phases

The DMVPN design model consists of three phases.

Phase 1

In phase 1, the DMVPN spokes are registered with the hub. In this early phase, there is no direct communication between the spokes, so all traffic goes through the hub. Each spoke uses regular point-to-point GRE tunnel interfaces and requires only a summary or default route to the hub to reach other spokes. As a result, the routing configuration in this phase is simple.

Phase 2

This phase allows spoke-to-spoke tunnel deployment with all spoke routers using multipoint GRE tunnels. These spoke-to-spoke tunnels are on demand, i.e., triggered based on the spoke traffic. This means the data does not have to travel to a central hub first. While the hub is used for the control plane, it is not necessarily in the data plane. This key fact differentiates Phase 2 from Phase 1.

Phase 3

In phase 3, the spoke-to-spoke tunnels are deployed without using specific pre-made routes. To secure those routes on the fly, this phase uses NHRP traffic indication messages (redirect and shortcuts) from the hub. This phase improves the scalability of phase 2.

4)What are the advantages of DMVPN compare with traditional VPN

A DMVPN offers many benefits over a permanent VPN, including the following:

superior network speed and Performance reliability;

reduced cost for secure communications;

better connectivity between branches by integrating VPN into existing communication practices;

fewer network delays;

conservation of WAN bandwidth;

reduced bandwidth requirements at the hub;

increased network resiliency and redundancy; and

secure routing with IPsec.

 

Please visit E-Lins Communication Co, Ltd. for more information.