APPROACH SOLUTIONS  BLOG ABOUT US  PARTNERS CONTACT  CUSTOMER PORTAL

 
DMVPN – What Is It? When Should I Use It?
April 4th, 2016

Numerous customers have presented us with design challenges that can be resolved via the use of DMVPN.  What is
DMVPN? Where does it t? What do I need to implement this solution? This article will answer those questions and
more.
 
DMVPN stands for Dynamic Multipoint Virtual Private Network and is a mature, full mesh capable, WAN connectivity
solution. It o ers dynamic inter-site connectivity and is straightforward to deploy. DMVPN o ers a secure, yet easily
con gured, and scalable WAN solution. Most commonly, DMVPN runs as an overlay network riding on top of existing
Internet connectivity. Although not commonly deployed, DMVPN can run over MPLS (2547oDMVPN). We have most
commonly seen DMVPN deployed solo or accompanying MPLS as a secondary path (as either primary or backup).
This allows a customer to use MPLS as their primary path, but DMVPN as their backup path in case of an MPLS
outage. Tra c engineering based on pre x length (summaries vs more speci c pre xes), route types, metrics, etc.
can be used to split tra c over both WAN paths as required.
 
DMVPN is a suite of protocols working together to o er encrypted WAN connectivity. NHRP, mGRE, IPSEC, an IGP (most commonly EIGRP), and CEF al
support DMVPN networks. NHRP is responsible for mapping the NBMA IP (public IP) of each node in the DMVPN network. It communicates via a serie
and Resolution Request messages to dynamically nd the other tunnel nodes to bring up the DMVPN network. NHRP consists of a next hop server (h
(spokes). NHRP basically tells each tunnel location (hub and spokes) how to nd one another dynamically. mGRE is responsible for the logical piece, A
 
IPSEC o ers encryption to DMVPN networks so that the DMVPN payload is safe as it traverses over the underlay network (i.e..; the Internet). The ease
for DMVPN is much greater than with traditional site-to-site tunnels. “Interesting tra c ACLs” are not required for IPSEC with DMVPN, as they are with
tunnels. Any tra c routed over the DMVPN tunnel interface is encrypted with minimal con guration. You can be more speci c about what is encrypte
not mandatory.
 
DMVPN requires a network device that supports GRE as well as the other protocols. We most commonly deploy Cisco ISRs. License level must suppor
aforementioned protocols as well.
 
DMVPN o ers hub-and-spoke or full mesh “phases”. Phase 1 is hub-and-spoke at control plane and data plane. Phase 2 is hub-and-spoke at control p
at data plane (aka spoke-to-spoke connectivity) via a CEF modi cation. Phase 3 is hub-and-spoke at control plane, but full mesh at data plane via NHR
NHRP Redirects. All phases have various implications on routing protocols running over them. Phase 3 is the most commonly deployed, but this depe
requirements. There is multicast support over DMVPN tunnels, but additional minimal con g is required.
 
CONCLUSION:
 
DMVPN is an easy to deploy, secure, scalable, and cost e ective WAN alternative. It is well documented, stable, and o ers many design options. Comp
existing Internet connections and required hardware to stand up their own WAN overlay without much involvement from their providers.

Join the High Availability, Inc. Mailing List Su

High Availability, Inc. is a specialized value added reseller of data stora

  products and services. We strive to discover, design, and deploy leading a
    and data management solut
(888) 424-2440 Contact Us

© 2015 High Availability, Inc., All Rights Reserved. Terms and Conditions Sitemap
APPROACH SOLUTIONS  BLOG ABOUT US  PARTNERS CONTACT  CUSTOMER PORTAL