What is DMVPN?
DMVPN is a Cisco solution to build easy,dynamic and scalable IPsec+GRE VPNs to connect multiple sites in partial or full mesh network topology.
DMVPN components
- CEF (Cisco Express Forwarding)
- GRE (Generic Routing Encapsulation Protocol) – GRE, mGRE (Multipoint GRE)
- NHRP (Next Hop Resolution Protocol)
- Dynamic Routing protocol
- IPsec Encryption Protocols
DMVPN Terminology
- NBMA IP Address – Typically a public IP address on internet facing interface
- Tunnel IP Address – GRE Tunnel interface IP address
- NHS (Next Hop Server) – DMVPN Hub Router(s)
- NHC (Next Hop Client) – DMVPN Spoke Router(s)
Type of IP Addresses in GRE or mGRE with DMVPN
- Hub & Spokes Public IP address are called Infrastructure IP Address, Outside IP Address, Service Provider Address or NBMA IP Address, all names has same meaning.
- Hub & Spokes Private IP Addresses (Tunnel IP Address ) are also called Enterprise Addressing space, Inside address.
NHRP – Next Hop Resolution Protocol
- Next Hop Resolution Protocol (NHRP) is a client and server protocol where the hub acts as the NHRP server (NHS), and the spokes are the NHRP clients (NHC).
- NHRP can have static or dynamic mappings of Tunnel IP Address to NBMA IP Address.
- The Hub router maintains NHRP database.
How DMVPN Works?
- Initially each spoke establish a permanent GRE+IPsec tunnel to the hub. The hub address should be static and known by all the spokes.
- Each spoke registers its NBMA IP Address as a client to the NHRP server on the hub. The NHRP server maintains an NHRP database of public interface IP address for each spoke.
- When a spoke requires that packets be sent to a destination subnet on another spoke, it sends a query to NHRP server to get information of NBMA address of the other spoke so that it can build direct tunnel.
- The NHRP server looks up the NHRP database for the corresponding destination spoke and replies with the NBMA address for the target router.
- After the originating spoke learns the NBMA IP Address of the target spoke, it initiates a dynamic IPsec tunnel to the target spoke.
- With the integration of the multipoint GRE (mGRE) interface, NHRP and IPsec, a direct dynamic spoke-to-spoke tunnel is established over the DMVPN network.
- Adding a new spoke router to the DMVPN requires no configuration on the hub. The spoke is configured with the hub information and dynamically registers with the hub router.
DMVPN Network Designs
Phase 1 – Hub to Spoke Design
- mGRE tunnel is configured at Hub and GRE tunnel is configured on the spokes
- Multicast or Unicast traffic flow between Hub & Spokes only
- No Spoke-to-Spoke traffic flow
- Spoke-to-Spoke traffic traverse via the Hub
- Route Summarization at Hub
Phase 2 – Spoke to Spoke Design
- Hub & all Spokes will be configured with mGRE tunnel
- Spoke-to-Spoke traffic traverse via direct dynamic VPN tunnel
- Route Summarization not feasible
Phase 3 – Hierarchical (Tree-Based) Design
- Phase 3 extends Phase 2 design with the capability to establish dynamic and direct spoke-to-spoke tunnels from different DMVPN networks across multiple regions.
- All regional DMVPN networks are bound together to form a single hierarchical (tree-based) DMVPN network, including the central Hubs.
- Hub & all Spokes will be configured with mGRE tunnel
- Spoke-to-Spoke traffic from different regions can establish direct tunnel with each other, thereby bypassing both the regional and central hubs.
Stay tuned for different DMVPN configurations in next blogs!