Scribd
Upload
112 views30 pages

DMVPN: Dynamic Multipoint (DMVPN) VPN Overview

DMVPN allows for dynamic on-demand IPsec tunnels between spokes in a hub-and-spoke VPN topology using multipoint GRE tunnels, NHRP, and routing protocols. It reduces the need for static tunnel configurations by creating tunnels dynamically based on traffic. DMVPN has evolved through three phases, with the current phase 3 allowing for scalable spoke-to-spoke tunnels and summarization at hubs.

Uploaded by

moama
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
112 views30 pages

DMVPN: Dynamic Multipoint (DMVPN) VPN Overview

DMVPN allows for dynamic on-demand IPsec tunnels between spokes in a hub-and-spoke VPN topology using multipoint GRE tunnels, NHRP, and routing protocols. It reduces the need for static tunnel configurations by creating tunnels dynamically based on traffic. DMVPN has evolved through three phases, with the current phase 3 allowing for scalable spoke-to-spoke tunnels and summarization at hubs.

Uploaded by

moama
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

DMVPN

Dynamic Multipoint (DMVPN) VPN Overview


In This Section

+ Dynamic Multipoint VPN (DMVPN) Overview


+ What is DMVPN?
+ Why use DMVPN?
+ How DMVPN works
What is DMVPN?

+ Point-to-multipoint Layer 3 overlay VPN


+ Logical hub and spoke topology
+ Direct spoke to spoke traffic is supported
+ DMVPN uses a combination of…
+ Multipoint GRE Tunnels (mGRE)
+ Next Hop Resolution Protocol (NHRP)
+ IPsec Crypto Profiles
+ Routing
Why Use DMVPN?

+ Independent of SP access method


+ Only requirement is IP connectivity
+ Routing policy is not dictated by SP
+ E.g. MPLS L3VPN restrictions
+ Highly scalable
+ If properly designed
How DMVPN Works

+ DMVPN allows on-demand full mesh IPsec tunnels with minimal


configuration through usage of…
+ Multipoint GRE Tunnels (mGRE)
+ Next Hop Resolution Protocol (NHRP)
+ IPsec Crypto Profiles
+ Routing
+ Reduces need for n*(n-1)/2 static tunnel configuration
+ Uses one mGRE interface for all connections
+ Tunnels are created on-demand between nodes
+ Encryption is optional
How DMVPN (cont.)

+ Creates on-demand tunnels between nodes


+ Initial tunnel-mesh is hub-and-spoke (always on)
+ Traffic patterns trigger spoke-to-spoke tunnels
+ Solves management scalability problem
+ Maintains tunnels based on traffic patterns
+ Spoke-to-spoke tunnel is on-demand
+ Spoke-to-spoke tunnel lifetime is based on traffic
+ Requires two IGPs: Underlying and Overlay
+ IPv4/IPv6 supported for both passenger and transport
How DMVPN Works – Hub to Spokes

+ Two main components


+ DMVPN Hub / NHRP Server (NHS)
+ DMVPN Spokes / NHRP Clients (NHC)
+ Spokes/Clients register with Hub/Server
+ Spokes manually specify Hub’s address
+ Sent via NHRP Registration Request
+ Hub dynamically learns Spokes’ VPN address & NBMA address
+ Spokes establish tunnels to Hub
+ Exchange IGP Routing information over the tunnel
How DMVPN Works – Spoke to Spoke

+ Spoke1 knows Spoke2’s routes via IGP


+ Learned via tunnel to Hub
+ Next-hop is Spoke2’s VPN IP for DMVPN Phase2
+ Next-hop is Hub’s VPN IP for DMVPN Phase3
+ Spoke1 asks for Spoke2’s real address
+ Maps next-hop (VPN) IP to tunnel source (NBMA) IP
+ Sent via NHRP Resolution Request
+ Spoke to Spoke tunnel is formed
+ Hub only used for control plane exchange
+ Spoke-to-spoke data plane may flow through hub initially
NHRP Important Messages

+ NHRP Registration Request


+ Spokes register their NMBA and VPN IP to NHS
+ Required to build the spoke-to-hub tunnels
+ NHRP Resolution Request
+ Spoke queries for the NBMA-to-VPN mappings of other spokes
+ Required to build spoke-to-spoke tunnels
+ NHRP Redirect
+ NHS answer to a spoke-to-spoke data-plane packet through it
+ Similar to IP redirects, when packet in/out interface is the same
+ Used only in DMVPN Phase3 to build spoke-to-spoke tunnels
DMVPN
DMVPN Phases 1, 2, & 3
DMVPN Phases

+ DMVPN can be deployed in three “phases”


+ DMVPN Phase 1
+ DMVPN Phase 2
+ DMVPN Phase 3
+ DMVPN phase affects
+ Spoke to spoke traffic patterns
+ Supported routing designs
+ Scalability
DMVPN Phase 1 (Now obsolete)

+ mGRE on hub and p-pGRE on spokes


+ NHRP still required for spoke registration to hub
+ No spoke-to-spoke tunnels
+ Routing
+ Summarization/default routing at hub is allowed
+ Next-hop on spokes is always changed by the hub
DMVPN Phase 2 (Now obsolete)

+ mGRE on hub and spokes


+ NHRP required for spoke registration to hub
+ NHRP required for spoke-to-spoke resolution
+ Spoke-to-spoke tunnel triggered by spoke
+ Routing
+ Summarization/default routing at hub is NOT allowed
+ Next-hop on spokes is always preserved by the hub
+ Multi-level hierarchy requires hub daisy-chaining
DMVPN Phase 3

+ mGRE on hub and spokes


+ NHRP required for spoke registration to hub
+ NHRP required for spoke-to-spoke resolution
+ When a hub receives and forwards packet out of same interface…
+ Send NHRP redirect message back to packet source
+ Forward original packet down to spoke via RIB
DMVPN Phase 3 (cont.)

+ Routing
+ Summarization/default routing at hub is allowed
+ Results in NHRP routes for spoke-to-spoke tunnel
+ With no-summary, NHO is performed for spoke-to-spoke tunnel
+ Next-hop is changed from hub IP to spoke IP
+ Next-hop on spokes is always changed by the hub
+ Because of this, NHRP resolution is triggered by hub
+ Multi-level hierarchy works without daisy-chaining
DMVPN
DMVPN Phase 1 Configuration
In This Section

+ Routing protocols over DMVPN Phase 1


+ RIP
+ EIGRP
+ OSPF
+ BGP
+ ODR
DMVPN Phase 1 (Now obsolete)

+ mGRE on hub and p-pGRE on spokes


+ NHRP still required for spoke registration to hub
+ No spoke-to-spoke tunnels
+ Routing
+ Summarization/default routing at hub is allowed
+ Next-hop on spokes is always changed by the hub
DMVPN
DMVPN Phase 2 Configuration
In This Section

+ Routing protocols over DMVPN Phase 2


+ RIP
+ EIGRP
+ OSPF
+ BGP
DMVPN Phase 2 (Now obsolete)

+ mGRE on hub and spokes


+ NHRP required for spoke registration to hub
+ NHRP required for spoke-to-spoke resolution
+ Spoke-to-spoke tunnel triggered by spoke
+ Routing
+ Summarization/default routing at hub is NOT allowed
+ Next-hop on spokes is always preserved by the hub
+ Multi-level hierarchy requires hub daisy-chaining
DMVPN
DMVPN Phase 3 Configuration
In This Section

+ Routing protocols over DMVPN Phase 3


+ RIP
+ EIGRP
+ OSPF
+ BGP
+ ODR
DMVPN Phase 3

+ mGRE on hub and spokes


+ NHRP required for spoke registration to hub
+ NHRP required for spoke-to-spoke resolution
+ When a hub receives and forwards packet out of same interface…
+ Send NHRP redirect message back to packet source
+ Forward original packet down to spoke via RIB
DMVPN Phase 3 (cont.)

+ Routing
+ Summarization/default routing at hub is allowed
+ Results in NHRP routes for spoke-to-spoke tunnel
+ With no-summary, NHO is performed for spoke-to-spoke tunnel
+ Next-hop is changed from hub IP to spoke IP
+ Next-hop on spokes is always changed by the hub
+ Because of this, NHRP resolution is triggered by hub
+ Multi-level hierarchy works without daisy-chaining

You might also like