Case Studies
This case study section centers on Dynamic Multipoint VPN, which is a new feature introduced in IOS code to address the scalability issue for LAN-to-LAN tunnel with GRE and IPsec.
In the LAN-to-LAN troubleshooting section, you have seen how GRE over IPsec works and addresses some of the issues that Basic LAN-to-LAN hasunable to encrypt non-IP, multicast, and broadcast traffic.
In a large-scale VPN deployment, several spokes need to talk to each other. So, you have the option of building either a full mesh, or a hub and spoke network. Because full mesh does not scale very well, hub and spoke networks are mainly deployed, in which every spoke builds up the tunnel with the hub and communicates through the hub.
The problem with this deployment is that that the hub has to encrypt and decrypt the packet twice to pass one data stream between the spokes, which overburdens the hub's CPU. Also, in regard to configuration, for every spoke, the hub needs to have configuration so that spokes can build up the tunnel. If there are hundreds of spokes, the situation becomes quite complex, and sometimes impossible. Dynamic multipoint VPN comes to your rescue under this type of circumstance. With DMVPN set up, all the spokes build up the tunnel with only the hub using the Multipoint GRE interface, and with the help of NHRP, spokes dynamically learn about the peer's IP address and learn all the information necessary from the hub to build up the tunnel dynamically. DMVPN not only builds tunnels on demand, but also tears down tunnels dynamically. Hub configuration is reduced dramatically, and with the addition of new spokes, hub configuration does not have to be modified. A detailed discussion of DMVPN is beyond the scope of this book, so a brief discussion of its operation will have to suffice.
DMVPN Architecture
DMVPN relies on two proven Cisco technologies:
Multipoint GRE Tunnel Interface (mGRE Interface)
This allows a single GRE interface to build multiple IPsec tunnels, and significantly simplifies the size and complexity of the configuration.
An mGRE interface has an IP address, a tunnel source interface, and a tunnel key as follows: