This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
No issues specified. Please specify issues, or remove this template. |
Dynamic Multipoint Virtual Private Network (DMVPN)[1] is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers and Unix-like Operating Systems based on the standard protocols, GRE, NHRP and IPsec. This DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks.
DMVPN is combination of the following technologies:
- Multipoint GRE (mGRE)
- Next-Hop Resolution Protocol (NHRP)
- Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
- Dynamic IPsec encryption
- Cisco Express Forwarding (CEF)
Configuration details
A DMVPN Spoke is configured with one or more hub IP addresses. DMVPN hub IP addresses are typically static, such as at a corporate headquarters. DMVPN spoke IP addresses may be static, or dynamic. For example, a DMVPN spoke router can be configured as a DHCP client on a DSL, cable provider's network or even be behind a NAT (Network Address Translation) Gateway. The spoke router is configured with the hub's IP address, allowing it to establish a tunnel with the hub router.
A key feature of DMVPN is that the hub router only needs a single tunnel interface to be configured, and does not need separate configuration sections for each of the spoke routers. This allows spoke VPN routers to be deployed without the need to configure additional peers on the hub(s). It also significantly reduces the amount of configuration required on the hub router.
Internal routing
Routing protocols such as OSPF, EIGRPv1 or v2 or BGP are generally run between the hub and spoke to allow for growth and scalability. The Cisco-proprietary EIGRP is generally considered preferable as it is an advanced distance vector style protocol which better matches with the NBMA (Non-Broadcast Multi-Access) style network that DMVPN builds. Both EIGRP and BGP allow a higher number of supported spokes per hub. Matthew Kerfoot.[2]
Encryption
As with GRE tunnels, DMVPN allows for several encryption schemes (including none) for the encryption of data traversing the tunnels. For security reasons Cisco recommend that customers use AES.[3]
Summary
In summary, DMVPN is a frame-work technology, consisting of:
- Generic Routing Encapsulation (GRE), RFC 1701, or multipoint GRE if spoke-to-spoke tunnels are desired
- NHRP (next-hop resolution protocol), RFC 2332
- IPsec (Internet Protocol Security) using an IPsec profile, which is associated to a virtual tunnel interface in IOS software. All traffic sent via the tunnel is encrypted per the policy configured (IPsec transform set)
- An IP based routing protocol, EIGRP, OSPF, RIPv2, BGP or ODR (DMVPN hub-and-spoke only).[4]
References
External links
- Cisco Systems
- DMVPN Overview
- Cisco DMVPN Design Guide
- Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs)
- [1] DMVPN Management
- [2] Open source NHRP protocol implementation