Dynamic Multipoint Virtual Private Network

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Dynamic Multipoint Virtual Private Network (DMVPN)[1] is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers, Huawei AR G3 routers[2] and USG firewalls, and on Unix-like operating systems.


DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks.


  • Generic Routing Encapsulation (GRE), RFC 1701, or multipoint GRE if spoke-to-spoke tunnels are desired
  • NHRP (next-hop resolution protocol), RFC 2332
  • IPsec (Internet Protocol Security) using an IPsec profile, which is associated with a virtual tunnel interface in IOS software. All traffic sent via the tunnel is encrypted per the policy configured (IPsec transform set)
  • An IP based routing protocol, EIGRP, OSPF, RIPv2, BGP or ODR (DMVPN hub-and-spoke only).[3]

Internal routing[edit]

Routing protocols such as OSPF, EIGRPv1 or v2 or BGP are generally run between the hub and spoke to allow for growth and scalability. The Cisco-proprietary EIGRP is generally considered preferable[by whom?] as it is an advanced distance vector style protocol which better matches with the NBMA (Non-Broadcast Multi-Access) style network that DMVPN builds. Both EIGRP and BGP allow a higher number of supported spokes per hub.[4]


As with GRE tunnels, DMVPN allows for several encryption schemes (including none) for the encryption of data traversing the tunnels. For security reasons Cisco recommend that customers use AES.[5]


External links[edit]