Home / Cisco Security / DMVPN: Dynamic Multipoint VPN

DMVPN: Dynamic Multipoint VPN

Today I am going to talk about the most important topic and is generally used where we required scalable IPSEC tunnelling to connect Virtual Private Networks. Enterprises are moving towards internet to save a huge amount of money and also required the secured connectivity across the various sites through internet.

Service Provider comes up with the solution of IPSEC, where two sites are connected over the internet via a secured encrypted tunnelling process. IPSEC is excellent in its operation but it can't be scalable to connect multiple sites as IPSEC is point to point secured way of connectivity over the internet.

Service provider and OEM's jointly conclude a new way of scalable and the secured connectivity across the multiple sites via internet and this technology called as DMVPN-Dynamic Multipoint VPN

Let's talk about DMVPN in detail now, So DMVPN is a multipoint GRE (mGRE), which means that it builds tunnels to transport the data over them. A tunnel is built from the spoke to the hub and this tunnel is always active. Tunnels may also be built from a spoke to another spoke, depending on which phase of DMVPN deployed in your enterprise network.
Fig 1.1- DMVPN basic topology

 DMVPN allows remote offices to communicate directly with each other over the internet, such as when using voice over IP (VOIP) between two remote offices, but doesn't require a permanent VPN connection between sites. It enables zero-touch deployment of IPSec VPNs and improves network performance by reducing latency and jitter, while optimising head office bandwidth utilisation.

 Traffic over the internet really have no guarantees for packet transporting. Since packets will travel through multiple ISPs, there is no way of guaranteeing parameters like RTT, jitter and QoS markings. This can be important to you, depending on what applications you are using. It’s still possible to use QoS for shaping and prioritizing traffic on your routers but any markings will not be honoured by the ISPs forwarding your traffic.

 Some of the benefits of DMVPN used for the enterprise network.

  • Deployment and operational costs: With the help of DMVPN technology you can actually reduce costs in integrating voice, video with VPN security
  • Branch Network simplification: DMVPN will enables direct branch-to-branch connectivity for business applications like voice. You know the voice packets are so important and it should be delivered across the other end without delay and jitter, So with the help of DMVPN technology you can achieve that with no loss.
  • Reduces deployment complexity: DMVPN will Offers you a  zero-touch configuration and dramatically reducing the deployment complexity in Virtual Private Networks, so called VPNs.
  • Improves business resiliency: DMVPN will prevent disruption of the most important and the business-critical applications and services by including routing with standards-based IPsec technology.
Fig 1.2- Multiple DMVPN network topology

Above diagram shows the multiple DMVPN connectivity across the various sites, you can maintain the two different networks and can securely have communications without interrupting each others network.

So one concern is there when you are deploying the network across the WAN. If you have the MPLS network with the two links you can have the redundancy in the network but with the DMVPN what about the redundancy ? Redundancy requirements also should be considered. Redundancy can be added at the hub level by having two hubs. Redundancy also can be provided by using two ISPs, a so called dual-cloud topology. There’s also the possibility of adding redundancy at the spoke by using multiple spoke routers.

Thanks Stay Connected, Stay Educated