Dynamic Multipoint Virtual Private Network
Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers and Unix-like Operating Systems based on the standard protocols, GRE, NHRP and IPsec. This DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks.
DMVPN is combination of the following technologies:
- Multipoint GRE (mGRE)
- Next-Hop Resolution Protocol (NHRP)
- Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)
- Dynamic IPsec encryption
- Cisco Express Forwarding (CEF)
Routing protocols such as OSPF, EIGRPv1 or v2 or BGP are generally run between the hub and spoke to allow for growth and scalability. The Cisco-proprietary EIGRP is generally considered preferable as it is an advanced distance vector style protocol which better matches with the NBMA (Non-Broadcast Multi-Access) style network that DMVPN builds. Both EIGRP and BGP allow a higher number of supported spokes per hub. Matthew Kerfoot.
In summary, DMVPN is a frame-work technology, consisting of:
- Generic Routing Encapsulation (GRE), RFC 1701, or multipoint GRE if spoke-to-spoke tunnels are desired
- NHRP (next-hop resolution protocol), RFC 2332
- IPsec (Internet Protocol Security) using an IPsec profile, which is associated to a virtual tunnel interface in IOS software. All traffic sent via the tunnel is encrypted per the policy configured (IPsec transform set)
- An IP based routing protocol, EIGRP, OSPF, RIPv2, BGP or ODR (DMVPN hub-and-spoke only).