DMVPN

From Baranoski.ca
Revision as of 22:06, 6 April 2015 by Casey (talk | contribs)
Jump to navigation Jump to search

In my opinion, Dynamic Multipoint VPN (DMVPN) is the greatest technology that Cisco has implemented. It has numerous advantages over "traditional" VPN technologies:

  • Simple deployment
  • Can be used over any medium (3G/4g, cable, DSL, fibre, etc)
  • Scalable, with no additional configuration required on the hub to accommodate growth
  • No need to update the configuration on the hub as sites are added, removed, or changed
  • Spokes can have static or dynamic IPs. It will even work through NAT.
  • High availability is easy to configure
  • Spokes can communicate with each other directly, without passing through the hub. This can improve spoke-to-spoke performance and minimize the load on the hub.
  • Natively uses standard routing protocols (OSPF, BGP, EIGRP, etc)
  • Can easily be configured as a backup connection, as it supports routing protocols and automatically sets a high metric.
  • Can support multiple network technologies, such as IPv6, multicast, and L2TP tunnels
  • Can be easily integrated into customer IPVPNs in a service provider environment


Basic DMVPN Establishment

The deployment of DMVPN spokes is simple, as the hub nodes have no prior knowledge of the spokes. Since the spoke sites may have dynamic WAN IPs, this simplifies the hub configuration immensely. The spoke sites have their hub sites statically configured. On IOS 15 builds, the hubs can actually be configured using their DNS names. This prevents anyone from having to update the configuration on all the spokes if the hub has to change IPs.

First, they establish an ISAKMP/IPSec connection to the hub(s): 

HUB1#show crypto isakmp sa
dst             src             state          conn-id slot status
192.0.2.1       198.51.100.1    QM_IDLE            541    0 ACTIVE

Using NHRP (Next-Hope Reachability Protocol), they create an association on the hubs between their WAN IP and their GRE IP, bringing up the GRE tunnel: 

HUB1#show ip nhrp brief
   Target             Via            NBMA           Mode   Intfc   Claimed
10.10.10.2/32      10.10.10.2      198.51.100.1    dynamic  Tu1     <   >

OSPF creates an adjacency over the GRE tunnel: 

HUB1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.2        0   FULL/DROTHER    00:00:30    10.10.10.2      Tunnel1

A spoke router will also learn of other spokes through the GRE tunnel and dynamically create tunnels to other them as needed: 

SPOKE1#show ip nhrp brief
   Target             Via            NBMA           Mode    Intfc   Claimed
10.10.10.1/32       10.10.10.1      192.0.2.1       dynamic  Tu1     <   >
10.10.10.3/32       10.10.10.3      203.0.113.28    dynamic  Tu1     <   >
10.10.10.4/32       10.10.10.4      198.51.100.117  dynamic  Tu1     <   >
Retrieved from "https://baranoski.ca/index.php?title=DMVPN&oldid=218"