We discussed the following subjects in this blog: DMVPN Phase 1 2 3, Architecture and Functionality, Core Technologies, Cisco Dynamic Multipoint VPN, and How Spoke-to-Spoke Communication Works.
Cisco Dynamic Multipoint VPN
A Cisco proprietary technology called Dynamic Multipoint VPN (DMVPN) was created to create several Virtual Private Networks (VPNs) in a scalable, dynamic, and simple way. DMVPN serves as both a WAN access connectivity alternative and an Internet VPN technology.
The main objective of DMVPN is to create a dynamic, secure mesh architecture across several distant locations (spokes) with just a basic hub-and-spoke initial setup.
Architecture and Functionality
DMVPN begins with a hub-and-spoke setup, in which several branch routers (spokes) are connected to a central router (the hub). Important architectural elements consist of:
Dynamic Mesh Topology: DMVPN dynamically creates direct spoke-to-spoke tunnels on demand, essentially forming a full mesh when required, while being initially set in a hub-and-spoke architecture.
Scalability and Simplicity: When compared to conventional, static VPNs that necessitate manual, point-to-point tunnel configuration for each connection, DMVPN significantly lowers the configuration complexity. To control all spokes, network administrators can set up a single IPsec profile on the hub router and a single Multipoint Generic Routing Encapsulation (mGRE) tunnel interface. Regardless of the number of spoke routers installed, the hub’s configuration size stays relatively constant.
Performance: By allowing branch traffic to avoid the central hub router, direct spoke-to-spoke tunnels lower latency, boost efficiency, and preserve hub bandwidth. Spoken-to-spoke traffic used to frequently have to ‘hairpin’ through the hub twice.
Security: To offer strong security, privacy, and encryption for dynamic site-to-site tunnels, DMVPN makes use of US government FIPS 140-2 certified IPsec solutions.
Also Read About Advantages and Disadvantages of Remote Access VPN & Types
Core Technologies
DMVPN is built upon the integration of three core technologies:
| Technology | Role | Function |
|---|---|---|
| Multipoint GRE (mGRE) | Tunneling Protocol | This enhanced version of GRE allows a single GRE tunnel interface to dynamically support multiple IPsec tunnels to different spokes, simplifying the configuration dramatically compared to standard point-to-point GRE. |
| Next Hop Resolution Protocol (NHRP) | Mapping/Discovery Service | This protocol maps the private tunnel IP addresses to the public (Non-Broadcast Multi-Access or NBMA) IP addresses of all spokes. The hub acts as the NHRP server, maintaining a database of spoke addresses, while spokes act as NHRP clients that dynamically register their public IP addresses when they come online. |
| IPsec Encryption | Security | IPsec provides the necessary encryption and authentication to securely transport private information encapsulated within the GRE tunnels over public networks like the Internet. |
Other crucial elements are dynamic routing protocols, which use the tunnel interfaces to control traffic flow and discover routes between the sites. Examples of these protocols are EIGRP, OSPF, BGP, and RIP.
Also Read About Site-to-Site VPNs Are Also Known As Router-To-Router VPNs
How Spoke-to-Spoke Communication Works
In order to provide direct contact, the essential dynamic functionality depends on NHRP:
Registration: To connect to the Hub (NHRP server), Spokes (NHRP clients) first create long-term GRE/IPsec tunnels. The hub receives the current public physical interface IP address (NBMA address) that spoke routers have registered.
Resolution Request: Spoke A uses an NHRP resolution request to ask the hub for Spoke B’s actual (public/NBMA) IP address when Spoke A needs to transmit a packet to a destination subnet on Spoke B.
Direct Tunnel Setup: After clearing its cache, the hub replies to Spoke A with an NHRP resolution reply that includes Spoke B’s public IP address.
Traffic Flow: Data packets can avoid the hub by using Spoke A to dynamically start a direct IPsec tunnel to Spoke B using this freshly determined address. In order to conserve resources, spoke-to-spoke linkages are created on demand and then dismantled after a certain amount of idleness. Because they just need to register their current address with the NHRP server, spokes with dynamic public IP addresses are likewise supported by DMVPN.
DMVPN Phase 1 2 3
The routing of spoke-to-spoke traffic is determined by the three phases that DMVPN installations are commonly divided into:
- Phase 1 (Hub-and-Spoke Only): The central hub is where all spoke-to-spoke traffic must pass. Regular point-to-point GRE, not mGRE, is usually used on the spokes at this phase.
- Direct, dynamic spoke-to-spoke tunnels are made possible on demand by Phase 2 (Spoke-to-Spoke Dynamic Tunnels). mGRE interfaces must be used by every spoke. Because full mesh routing is necessary for this phase, route summarisation may not be used as often.
- Direct, dynamic spoke-to-spoke tunnels are also supported by Phase 3 (Enhanced Scalability). By using NHRP redirect and shortcut messages, Phase 3 enhances scalability over Phase 2 and makes it easier for network administrators to execute route summarisation on the spokes. Nowadays, phase three is usually regarded as the best implementation.
Also Read About What is MPLS Layer 2 VPN? Architecture, Types and Benefits