CCNP-Studies
Routing
6-DMVPN
1 Fundamentals of Dmvpn

What is DMVPN?

Dynamic Multipoint Virtual Private Network (DMVPN) is an advanced networking technology that offers a flexible and secure method for connecting remote sites, such as branch offices, over untrusted networks. Let's break down DMVPN in an easy-to-understand way.

Key Components

1. Hub and Spoke Topology

In a DMVPN setup, you have a central hub and remote spokes. The hub is typically located in a data center or headquarters, while the spokes represent branch offices or remote sites. The spokes communicate with the hub and, in some cases, can communicate directly with each other, reducing the reliance on hub-to-spoke communication.

2. Tunnels

DMVPN creates virtual tunnels between spokes and the hub. These tunnels act as secure channels through which data can flow, ensuring privacy and security.

3. Dynamic Routing

One of DMVPN's key features is dynamic routing. It enables spokes to establish connections directly with each other dynamically, eliminating the need for fixed, dedicated links.

4. Security

DMVPN prioritizes data security. It uses encryption and authentication methods to protect data as it travels between spokes and the hub.

Key Terms:

Hub

The hub in a DMVPN deployment is the central point of the network, typically located in a data center or headquarters. It serves as the primary point of contact for all remote spokes and plays a pivotal role in managing communication within the DMVPN network.

NHS (Next-Hop Server)

The NHS, or Next-Hop Server, is a critical element within the DMVPN infrastructure. It resides at the hub and helps spokes discover each other's public IP addresses, facilitating direct communication between spokes. The NHS is responsible for maintaining the NHRP (Next Hop Resolution Protocol) mapping table, allowing efficient data routing.

Spoke NHC (Next-Hop Client)

Spoke NHC, or Next-Hop Client, is typically located at remote sites or branch offices in a DMVPN network. It communicates with the NHS to learn the public IP addresses of other spokes, enabling dynamic, direct connections between remote sites without relying on the hub for all traffic.

Underlay Address

The underlay address refers to the physical network addresses used in the underlying infrastructure. It represents the actual IP addresses assigned to the routers or devices in the physical network. In DMVPN, the underlay network is the infrastructure over which the DMVPN tunnels are established. These addresses are used for routing packets between different sites within the DMVPN network.

Overlay Address

The overlay address, on the other hand, is a virtual or private address that is used within the DMVPN network. It's the address that the routers use when communicating with each other through the DMVPN tunnels. Overlay addresses are separate from the underlay addresses and are often assigned within the DMVPN configuration. They enable secure and private communication between remote sites without exposing the underlay network's details.

GRE (Generic Routing Encapsulation)

GRE is a tunneling protocol that is sometimes used as the foundation for DMVPN tunnels. It helps encapsulate and transport data packets between sites within the secure DMVPN network.

IPsec (Internet Protocol Security)

IPsec is a suite of protocols used to secure data communication over IP networks. In DMVPN, it is often used to provide encryption and authentication for the data transmitted over the virtual tunnels.

Routing Protocols

DMVPN can work with various routing protocols, such as EIGRP (Enhanced Interior Gateway Routing Protocol), OSPF (Open Shortest Path First), and BGP (Border Gateway Protocol). These protocols enable efficient routing of data between remote sites and the central hub.

CEF (Cisco Express Forwarding)

CEF is a high-performance, Layer 3 IP switching technology often used in Cisco routers to enhance the efficiency of routing in DMVPN environments.

QoS (Quality of Service)

QoS is crucial in DMVPN to prioritize and manage traffic flows effectively, ensuring that critical applications receive the necessary bandwidth and network resources.

Split Tunneling

Split tunneling is a configuration option in DMVPN that allows remote site traffic to be divided between the secure DMVPN network and a local internet connection. It can be used to optimize traffic routing and conserve bandwidth.

Why Use DMVPN?

  • Cost-Efficiency: DMVPN leverages the internet or untrusted networks, reducing the need for dedicated connections between remote locations, making it cost-effective.

  • Flexibility: Adding new remote sites is straightforward, as DMVPN doesn't require an overhaul of the entire network design. It's highly scalable.

  • Direct Communication: Spokes can communicate directly, distributing the network load and potentially improving performance.

DMVPN Resources

To get a better understanding of DMVPN, checkout the following RFCs and documentation:

  1. RFC 2332 (opens in a new tab): "NBMA Next Hop Resolution Protocol (NHRP)" - This RFC introduces NHRP, a protocol used in DMVPN implementations for address resolution and routing.

  2. RFC 2784 (opens in a new tab): "Generic Routing Encapsulation (GRE)" - This RFC defines GRE, which is often used in DMVPN to encapsulate private network traffic within public networks.

  3. RFC 2409 (opens in a new tab): "The Internet Key Exchange (IKE)" - This RFC discusses the Internet Key Exchange protocol, commonly used in DMVPN configurations for secure key management.

  4. RFC 4301 (opens in a new tab): "Security Architecture for the Internet Protocol" - An updated version of RFC 2401, including key security principles for IP-based networks, relevant to DMVPN.

  5. RFC 4302 (opens in a new tab): "IP Authentication Header" - This RFC specifies the IP Authentication Header (AH) protocol, which provides data integrity, data origin authentication, and anti-replay services for IP packets.

  6. RFC 4303 (opens in a new tab): "IP Encapsulating Security Payload (ESP)" - This RFC defines the IP Encapsulating Security Payload (ESP) protocol, which offers confidentiality, data integrity, data origin authentication, and anti-replay protection for IP packets.

  7. Cisco DMVPN Data Sheet (opens in a new tab) - This data sheet provides detailed information about Cisco's DMVPN implementation, including technical specifications and features.