Dynamic Multiple Virtual Private Network (DMVPN)

DMVPN is a dynamic form of a VPN, capable of creating a full mesh VPN network dynamically through HUB and Spoke topology. It is a key to undertake the increasing demand of “connecting branch offices to Headquarter and to each other”.

Dmvpn itself is not a protocol, it’s merely a design model based on standard protocols like GRE, NHRP and IPSEC (IPSEC is optional for improving security of data).

Why choose DMVPN

Lowers Administration cost: No more multiple tunnel interfaces for each additional spokes.

Simplified hub router configuration: DMVPN offers zero-touch configuration i.e. one time configuration of HUB regardless of the additional number of spokes.

Dynamic spoke to spoke tunnel establishment: using NHRP DMVPN is capable of direct branch-to-branch (spoke-to-spoke) connectivity. It also reduces the delay for critical business application like voice traffic.

No need for static IP on Branch office: DMVPN can connect spokes to Hub and to each other even if they have dynamic Global IP. Static IP is only required for HUB router (Headquarter router).

Optional Strong security with IPSEC: IPSEC can be laid over GRE (mGRE) to secure the passenger protocol traffic that improves business resiliency

DMVPN Operation

A DMVPN is an evolved form of Hub and spoke tunneling. In traditional Hub and spoke tunneling, all the spokes are connected to the centralized device (hub) through static tunneling (implementing IPSEC or GRE).  Each additional spoke requires additional configuration on the Hub, and traffic between spokes tandems through HUB (at hub the source spoke-Hub tunnel exits and packets are re-encapsulated and forwarded towards destined spoke). This solution is only acceptable for small scale, and it grows unwieldy as spokes increase in number (i.e. loads the HUB).

Fig 1: Comparison of p2p GRE (VPN,full mesh) tunnelling and DMVPN 

DMVPN provides an elegant solution to this problem with multipoint GRE tunneling.  Recall that a GRE tunnel encapsulates IP packets with a GRE and IP Header for transport across an untrusted network. Also recall that a point to point GRE Tunnel has exactly two end points, and each tunnel on a router requires a separate virtual interface with its own independent configuration and IP address. On the other hand, multipoint GRE tunnel allows for more than two endpoints, and is treated as non-broadcast multicast Access (NMBA) Network.

A legacy hub and spoke setup would require three separate tunnels rom hub to spokes (i.e. Hub would have 3 tunnel interfaces) in this scenario. However multi GRE allows all four router s to have a single tunnel interface in the same IP subnet.

Dynamic tunneling of DMVPN

While DMVPN certainly provides a tidy configuration at start, its brilliance lies in its ability to dynamically establish spoke-to-spoke tunnel.  In a typical hub and spoke connection traffic source from a spoke destined to another spoke must tandem through hub, at hub the packet will be de-encapsulated to exit on tunnel and then re-encapsulated to establish other. However the easiest path is the direct path (which in traditional way is achieved through (tidy) static mesh configuration but DMVPN allows us to use that direct path dynamically through Next Hop resolution protocol (NHRP).

Next Hop resolution protocol (NHRP)

NHER Defined by RFC 2332 is the catalyst that provides dynamic tunnel establishment, by providing tunnel-to-physical interface address resolution. NHRP client (the spoke) requests Next hop server (NHS) (the HUB) for the physical address of another spoke router.

DMVPNConfiguration