Dynamic Multipoint VPN
IPsec is a frequently implemented adjustment of basic defended tunnels from armpit to armpit or from
remote users to a axial site. However, it has limitations. In a site-to-site, hub-and-spoke
environment, for example, all VPN cartage from batten to batten charge bisect the hub site, where
it charge be unencrypted, routed, and afresh encrypted again. This is a lot of assignment for a VPN
Concentrator, abnormally in a ample ambiance with abounding batten sites area a lot of cartage must
flow amid spokes. One aftereffect is added arrangement aerial and anamnesis and CPU
requirements at the axial site. Addition is cogent agreement complication at the hub router.
Dynamic Multipoint VPN (DMVPN) takes advantage of IPsec, GRE tunnels, and Next Hop
Resolution Agreement (NHRP) to accomplish IPsec calibration bigger in a hub-and-spoke environment.
DMVPN additionally supports cartage analysis beyond VPNs and is VRF-aware.
In a archetypal hub-and-spoke IPsec VPN environment, the hub router charge accept separate, statically
configured crypto maps, crypto admission lists, GRE tunnels, and isakmp associate statements for each
spoke router. This is one of the banned of acceptable hub-and-spoke VPN scalability that DMVPN
eliminates. In a DMVPN environment, the batten router affiliation advice is not explicitly
configured on the hub router. Instead, the hub router is configured for a distinct multipoint GRE
(mGRE) adit interface and a set of profiles that administer to the batten routers. Anniversary batten router
points to one or added hubs, facilitating back-up and amount sharing. DMVPN additionally
supports multicast cartage from hub to batten routers.
The allowances of DMVPN compared to a acceptable IPsec hub-and-spoke VPN ambiance include
these:
■ Simpler hub router configuration. A DMVPN hub router requires alone one multipoint GRE
tunnel interface, one IPsec profile, and no crpyto admission lists.
■ Zero-touch at the hub router for accessories batten routers. The hub router does not require
configuration back new batten routers are brought online.
■ Automatically accomplished IPsec encryption, facilitated by NHRP.
■ Activating acclamation abutment for batten routers. Instead of changeless configuration, the hub learns
spoke router addresses back they annals to the network.
■ Dynamically created spoke-to-spoke tunnels. Batten routers apprentice about anniversary added using
NHRP so that they can anatomy tunnels amid anniversary added automatically instead of requiring
spoke-to-spoke cartage to be encrypted, unencrypted, and baffled at the hub router.
■ VRF affiliation for MPLS environments.
A activating acquisition agreement (EIGRP, OSPF, BGP, RIP, or alike ODR for baby deployments) is
required amid the hub and the spokes. (Cisco recommends a ambit agent protocol, and
Layer 3 Aegis 685
therefore prefers EIGRP for all-embracing deployments.) This is how batten routers apprentice about the
networks at added batten routers. In a DMVPN environment, the next-hop IP abode for a spoke
network is the adit interface for that spoke.
Figure 18-11 shows a DMVPN arrangement with one hub and three batten routers. In this network,
each batten router has a abiding IPsec adit to the hub router. Anniversary of the spokes, which are
NHRP clients, registers with the NHRP server (the hub router). Back a batten router needs to send
traffic to a clandestine arrangement on addition batten router, which it has abstruse about by application the
dynamic acquisition agreement active amid the hub and the spokes, that batten router queries the
NHRP server in the hub router for the alfresco IP abode of the destination batten router. Back the
NHRP server allotment that information, the basic batten router initiates a activating IPsec
tunnel to the added batten router over the mGRE tunnel. After the appropriate cartage has anesthetized and
the affiliation has been abandoned for a preconfigured time, the activating IPsec adit is broken bottomward to
save router assets (IPsec aegis associations, or SAs).
Figure 18-11 Basic DMVPN Network
For added capacity on DMVPN, see the articulation in the “Further Reading” area at the end of the
chapter. You should be accustomed with the concepts of DMVPN, but not the agreement details,
for the CCIE Acquisition and Switching accomplishment exam.
NOTE Figure 18-11 is redrawn from Figure 1 in “Dynamic Multipoint VPN (DMVPN)” at
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_
guide09186a0080110ba1.html.
10.100.1.0.255.255.255.0
Hub 10.100.1.1
10.1.2.0.255.255.255.0
172.16.13.1
10.1.2.1
10.1.1.1
10.1.1.0.0.255.255.255.0
Spoke
Spoke
Dynamic and Temporary
Spoke-to-Spoke IPsec
Tunnels
Dynamic and Permanent
Spoke-to-Spoke IPsec
Tunnels
Dynamic (or Static)
Public IP Addresses
Static Public
IP Address