Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a

virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...

(VPN) supported on Cisco IOS-based routers, and Huawei AR G3 routers, and on Unix-like

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...

Benefits

DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including

IPsec In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...

(Internet Protocol Security) and

ISAKMP Internet Security Association and Key Management Protocol (ISAKMP) is a protocol defined by RFC 2408 for establishing Security association (SA) and cryptographic keys in an Internet environment. ISAKMP only provides a framework for authentication an ...

(Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks.

Technologies

Generic Routing Encapsulation Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol netw ...

(GRE), , or multipoint GRE if spoke-to-spoke tunnels are desired * NHRP (next-hop resolution protocol), *

(Internet Protocol Security) using an IPsec profile, which is associated with a virtual tunnel interface in IOS software. All traffic sent via the tunnel is encrypted per the policy configured (IPsec transform set) * An IP-based routing protocol,

EIGRP Enhanced Interior Gateway Routing Protocol (EIGRP) is an advanced distance-vector routing protocol that is used on a computer network for automating routing decisions and configuration. The protocol was designed by Cisco Systems as a proprietary pr ...

, OSPF, RIPv2,

BGP Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous system (Internet), autonomous systems (AS) on the Internet. BGP is classified as a path-vector ...

or ODR (DMVPN hub-and-spoke only).

Internal routing

Routing protocol A routing protocol specifies how routers communicate with each other to distribute information that enables them to select routes between nodes on a computer network. Routers perform the traffic directing functions on the Internet; data packets ...

s such as OSPF, EIGRP v1 or v2 or

are generally run between the hub and spoke to allow for growth and scalability. Both

and

allow a higher number of supported spokes per hub.

Encryption

As with

GRE The Graduate Record Examinations (GRE) is a standardized test that is an admissions requirement for many graduate schools in the United States and Canada and a few other countries. The GRE is owned and administered by Educational Testing Servi ...

tunnels, DMVPN allows for several

encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...

schemes (including none) for the encryption of data traversing the tunnels. For security reasons Cisco recommend that customers use

AES AES may refer to: Businesses and organizations Companies * AES Corporation, an American electricity company * AES Data, former owner of Daisy Systems Holland * AES Eletropaulo, a former Brazilian electricity company * AES Andes, formerly AES Gener ...

.DMVPN Design Guide: Best Practices and Known Limitations
/ref>

Phases

DMVPN has three phases that route data differently. * Phase 1: All traffic flows from spokes to and through the hub. * Phase 2: Start with Phase 1 then allows spoke-to-spoke tunnels based on demand and triggers. * Phase 3: Starts with Phase 1 and improves scalability of and has fewer restrictions than Phase 2.

References

External links

Cisco SystemsDMVPN ManagementSites Unblocker HomepageWhat Is Double VPN And How To Use ItOpen Source NHRP Protocol Implementation
{{VPN Network architecture Virtual private networks Cisco protocols