Latest

Home / Cisco / Security / Part 1: Basics about DMVPN

Part 1: Basics about DMVPN

November 07, 2021 ,

Basics about DMVPN

Today we are going to talk about DMVPN. As an easy, dynamic, and scalable solution to building together with IPSEC + GRE VPNs with tunnel protection on Cisco IOS/IOS-XE software devices. DMVPN is based on the NHRP and multipoint GRE tunnels. So let's talk about NHRP and multipoint GRE

As a result, DMVPN creates a distributed NHRP database of all spokes' tunnels mapped to IP addresses. Each spoke maintains a dynamic GRE/IPSEC tunnel to the hub but not to the other spokes. The spokes register as clients of the NHRP server.

Fig 1.1- Sample DMVPN Hub & Spoke topology

So how one spoke communicate the destination behind the other spoke?
The spoke now queries the NHRP server for the outside address of the destination spoke when it needs to send a packet to a subnet behind another spoke. 

As now the peer address known so originating spoke initiate a dynamic GRE/IPSEC tunnel to the destination spoke. Spoke to spoke tunnel us built over the mGRE interface.

Features of DMVPN

  • DMVPN provides dynamic routing between branch sites and corporate headquarters using encrypted tunnels, improving reachability without having to define routes manually.
  • The dynamic routing helps secure the distribution of IP routing tables between branch offices and the corporate headquarters.
  • BGP, OSPF and EIGRP are supported as dynamic routing over the VPN tunnels.
  • A VPN deployment is incredibly simplified thanks to DMVPN, as no crypto maps are required to be tied to the physical interface. Split tunneling is simplified as well. 
  • DMVPN assists network operators in deploying spoke routers which run NAT or behind dynamic NAT devices, increasing branch subnet security. DMVPN supports IP Multicast traffic where IPsec only supports IP Unicast. It provides efficient and scalable distribution of one-to-many and many-to-many traffic.
  • Split tunneling behavior is controlled by the hub, whereas traditional IPsec requires that all spokes are modified. Cisco DMVPN can be deployed in zero-touch deployment models, allowing secure PKI-based device provisioning.
We will talk about the topologies in DMVPN with the configuration example in our next part for DMVPN.