DMVPN – What Is It? When Should I Use It?

April 4th, 2016
DMVPN – What Is It? When Should I Use It?
Numerous customers have presented us with design challenges that can be resolved via the use of DMVPN.  What is DMVPN? Where does it fit? What do I need to implement this solution? This article will answer those questions and more.
DMVPN stands for Dynamic Multipoint Virtual Private Network and is a mature, full mesh capable, WAN connectivity solution. It offers dynamic inter-site connectivity and is straightforward to deploy. DMVPN offers a secure, yet easily configured, and scalable WAN solution. Most commonly, DMVPN runs as an overlay network riding on top of existing Internet connectivity. Although not commonly deployed, DMVPN can run over MPLS (2547oDMVPN). We have most commonly seen DMVPN deployed solo or accompanying MPLS as a secondary path (as either primary or backup). This allows a customer to use MPLS as their primary path, but DMVPN as their backup path in case of an MPLS outage. Traffic engineering based on prefix length (summaries vs more specific prefixes), route types, metrics, etc. can be used to split traffic over both WAN paths as required.
DMVPN is a suite of protocols working together to offer encrypted WAN connectivity. NHRP, mGRE, IPSEC, an IGP (most commonly EIGRP), and CEF all work together to support DMVPN networks. NHRP is responsible for mapping the NBMA IP (public IP) of each node in the DMVPN network. It communicates via a series of NHRP Register and Resolution Request messages to dynamically find the other tunnel nodes to bring up the DMVPN network. NHRP consists of a next hop server (hub) and clients (spokes). NHRP basically tells each tunnel location (hub and spokes) how to find one another dynamically. mGRE is responsible for the logical piece, AKA the tunnel.  
IPSEC offers encryption to DMVPN networks so that the DMVPN payload is safe as it traverses over the underlay network (i.e..; the Internet). The ease of config of IPSEC for DMVPN is much greater than with traditional site-to-site tunnels. “Interesting traffic ACLs” are not required for IPSEC with DMVPN, as they are with classic site-to-site tunnels. Any traffic routed over the DMVPN tunnel interface is encrypted with minimal configuration. You can be more specific about what is encrypted vs not, but this is not mandatory.
DMVPN requires a network device that supports GRE as well as the other protocols. We most commonly deploy Cisco ISRs. License level must support all of the aforementioned protocols as well.
DMVPN offers hub-and-spoke or full mesh “phases”. Phase 1 is hub-and-spoke at control plane and data plane. Phase 2 is hub-and-spoke at control plane, but full mesh at data plane (aka spoke-to-spoke connectivity) via a CEF modification. Phase 3 is hub-and-spoke at control plane, but full mesh at data plane via NHRP Shortcuts and NHRP Redirects. All phases have various implications on routing protocols running over them. Phase 3 is the most commonly deployed, but this depends on design requirements. There is multicast support over DMVPN tunnels, but additional minimal config is required.
DMVPN is an easy to deploy, secure, scalable, and cost effective WAN alternative. It is well documented, stable, and offers many design options. Companies can leverage existing Internet connections and required hardware to stand up their own WAN overlay without much involvement from their providers.

Join the High Availability, Inc. Mailing List