- Dynamic Multipoint Virtual Private Network
A Dynamic Multipoint Virtual Private Network is an enhancement of the virtual private network (VPN) configuration process of Cisco IOS-based routers. DMVPN prevents the need for pre-configured (static) IPsec (Internet Protocol Security) peers in crypto-map configurations and ISAKMP (Internet Security Association and Key Management Protocol) peer statements. This feature of Cisco IOS allows greater scalability over previous IPsec configurations. An IPsec tunnel between two Cisco routers may be created on an as needed basis. Tunnels may be created between a spoke router and a hub router (VPN headend), or between spokes. This greatly alleviates the need for the hub to route data between spoke networks, as was common in a non-fully meshed frame relay topology.
A DMVPN Spoke is configured with one or more hub IP addresses. DMVPN hub IP addresses are typically static, such as at a corporate headquarters. DMVPN spoke IP addresses may be static, or dynamic. An example would be a DMVPN spoke router acting as a DHCP client on a DSL or cable provider's network. The spoke router is configured with the hub's IP address, allowing it to connect when online. The hub router does not need to be configured with the IP addresses of the spoke routers. This allows many-spoke VPN routers to be deployed without the need to configure additional peers on the hub(s). In the past the configuration of the hub grew whenever a spoke VPN router was added to the ipsec network.
For internal routing, a dynamic routing protocol is used between the spokes and the hub, as well as other spokes. Cisco EIGRP, or OSPF routing protocols are commonly used for further scalability. DMVPN is considered by many engineers as superior to early dynamic ipsec technologies such as TED (tunnel endpoint discovery).
In summary, DMVPN is a frame-work technology, consisting of:
- An IPsec profile, which is associated to a virtual tunnel interface in IOS software. Traffic sent via the tunnel is encrypted per the policy configured (IPsec transform set)
- Generic Routing Encapsulation (GRE), or multipoint GRE if spoke-to-spoke tunnels are desired
- NHRP (next-hop resolution protocol), RFC 2332
- A dynamic routing protocol, DUAN, ODR, RIP, EIGRP, OSPF, ISIS, BGP
Wikimedia Foundation. 2010.