Documente Academic
Documente Profesional
Documente Cultură
Dynamic Multipoint VPN (DMVPN) is Ciscos answer to the increasing demands of enterprise
companies to be able to connect branch offices with head offices and between each other while
keeping costs low, minimising configuration complexity and increasing flexibility.
Note: Users familair with DMVPN can also visit our article Configuring Cisco Dynamic Multipoint
VPN (DMVPN) - Hub, Spokes , mGRE Protection and Routing
With DMVPN, one central router, usually placed at the head office, undertakes the role of the
Hub while all other branch routers are Spokes that connect to the Hub router so the branch
offices can access the companys resources. DMVPN consists of two mainly deployment designs:
DMVPN combines multiple GRE (mGRE) Tunnels, IPSec encryption and NHRP (Next Hop
Resolution Protocol) to perform its job and save the administrator the need to define multiple
static crypto maps and dynamic discovery of tunnel endpoints.
NHRP is layer 2 resolution protocol and cache, much like Address Resolution Protocol (ARP) or
Reverse ARP (Frame Relay).
The Hub router undertakes the role of the server while the spoke routers act as the clients. The
Hub maintains a special NHRP database with the public IP Addresses of all configured spokes.
Each spoke registers its public IP address with the hub and queries the NHRP database for the
public IP address of the destination spoke it needs to build a VPN tunnel.
An IP address
A Tunnel Source
A Tunnel Destination
An IP address
A Tunnel source
A Tunnel key
interface Tunnel 0
ip address 10.0.0.1 255.0.0.0
tunnel source Dialer 1
tunnel mode gre multipoint
tunnel key 1
It is important to note that mGRE interfaces do not have a tunnel destination. Because
mGRE tunnels do not have a tunnel destination defined, they cannot be used alone. NHRP fills
this gap by telling mGRE where to send the packets.
DMVPN Benefits
DMVPN provides a number of benefits which have helped make them very popular and highly
recommended. These include:
Simplified Hub Router Configuration. No more multiple tunnel interfaces for each
branch (spoke) VPN. A single mGRE, IPSec profile without any crypto access lists, is all that is
required to handle all Spoke routers. No matter how many Spoke routers connect to the Hub,
the Hub configuration remains constant.
Full Support for Spoke Routers with Dynamic IP Addressing. Spoke routers can
use dynamic public IP Addresses. Thanks to NHRP, Spoke routers rely on the Hub router to find
the public IP Address of other Spoke routers and construct a VPN Tunnel with them.
Lower Administration Costs. DMVPN simplifies greatly the WAN network topology,
allowing the Administrator to deal with other more time-consuming problems. Once setup,
DMVPN continues working around the clock, creating dynamic VPNs as needed and keeping
every router updated on the VPN topology.
Each
GRE tunnel between the hub-spoke routers is configured with its unique network ID. For
example, GRE tunnel between the HUB and Remote Office 1 could use network 10.0.0.0/30,
while GRE tunnel between the HUB and Remote Office 2 could use 10.0.1.0/30 etc.
In addition, the hub router has three GRE tunnels configured, one for each spoke, making the
overall configuration more complicated. In case no routing protocol is used in our VPN network,
the addition of one more spoke would mean configuration changes to all routers so that the new
spoke is reachable by everyone.
Lastly, traffic between spokes in a point-to-point GRE VPN network must pass through the hub,
wasting valuable bandwidth and introducing unnecessary bottlenecks.
One mGRE interface supports ALL spokes. Multiple mGRE interfaces are allowed, in
which case each is a separate DMVPN.
Dynamic Tunnel Destination simplifies support for dynamically addressed spokes with the
use of NHTP registration and dynamic routing protocols
Furthermore, spoke-to-spoke traffic no longer needs to pass through the hub router but is sent
directly from one spoke to another.
It should be clear how much simpler and easier DMVPN with mGRE is when compared with IPSec
VPN Crypto tunnels or point-to-point GRE.