Dynamic Multipoint Virtual Private Network (DMVPN)

Traditionally in a hub and spoke environment, all IPsec tunnels from spoke routers would be connected to the central site. Consequentially if a spoke router wanted to reach another spoke router would have a greater burden in terms of CPU and memory utilisation. The hub router may also require a long and complex configuration depending on the number of spoke routers, as with a traditional hub and spoke VPN configuration each hub router will require separate isakmp peer statements, GRE tunnels, crypto ACLs and crypto maps.

Dynamic Multipoint Virtual Private Network (DMVPN) solves many of these problems by using existing technologies such as IPsec, GRE tunnels and NHRP. The hub router is configured with a single mGRE interface for all the connections, and one IPsec profile and no crypto ACLS, the best bit is that no additional work is required at the hub router when a spoke router is being deployed (as much as I love configuring routers, anything to make life easy is always welcome).

Spoke routers learn about other spoke routers through routing as such a dynamic routing protocol will be required for this to operate effectively. Additionally DMVPN supports multiple hub routers for redundancy and load balancing and the spoke routers can be either statically or dynamically addressed.

A simple example of DMVPN is below, where each of the spoke routers has a permanent IPSec tunnel to the hub router, but each spoke router will establish direct IPSec tunnel to other spoke routers as and when required.

4 thoughts on “Dynamic Multipoint Virtual Private Network (DMVPN)

Leave a Reply

Your email address will not be published. Required fields are marked *