DMVPN stands for Dynamic Multipoint Virtual Private Network. It is a network solution that allows for the creation of virtual private networks (VPNs) over the Internet or any IP network. DMVPN is designed to provide a scalable and flexible approach to building secure site-to-site VPNs in a dynamic and cost-effective manner.
Traditional VPN solutions typically require a point-to-point connection between each site in the network. This can become complex and difficult to manage as the number of sites increases. DMVPN addresses this challenge by utilizing a hub-and-spoke architecture with dynamic IPsec tunnels.
In a DMVPN network, there is a central hub device that acts as a focal point for the VPN connections. Each remote site, also known as a spoke, establishes a direct tunnel with the hub. The tunnels are dynamically built and torn down as needed, allowing for easy scalability and adaptability in the network.
DMVPN leverages routing protocols, such as EIGRP (Enhanced Interior Gateway Routing Protocol) or OSPF (Open Shortest Path First), to dynamically exchange routing information between the hub and spokes. This dynamic routing approach eliminates the need for static routing configurations, making it easier to add or remove sites without manual intervention.
One of the key benefits of DMVPN is its ability to optimize bandwidth usage. It achieves this through a technique called mGRE (multipoint GRE), which allows multiple spoke sites to share a single tunnel to the hub. This reduces the overhead associated with maintaining individual tunnels for each spoke, resulting in more efficient bandwidth utilization.
Overall, DMVPN provides a flexible and scalable solution for creating secure VPNs over IP networks. It simplifies network management, enhances scalability, and optimizes bandwidth usage, making it particularly suitable for large and geographically distributed networks.
CONFIGURATION
The ISAKMP protocol (Internet Security Association and Key Management Protocol) is a framework for dynamically establishing security associations and cryptographic keys in an Internet environment.
Apply the same crypto ISAKMP policy, key, crypto IPsec Transform-set and Profile on the HQ (Hub) all sites (Spokes).
Each tunnel interface on the hub router is identified by a unique number, starting from 0 and incrementing for each additional tunnel interface. The “tunnel 0” interface is typically used as the default or primary tunnel interface in a DMVPN configuration.
The hub router’s “tunnel 0” interface is responsible for receiving and forwarding encrypted traffic from the spoke routers. It encapsulates and decapsulates the data packets, ensuring secure transmission across the VPN. The hub router uses routing protocols like EIGRP or OSPF to exchange routing information with the spoke routers, enabling dynamic and efficient routing within the DMVPN network.
Apart from the ip address on the Tunnel 0 interface, the only difference between the HQ (Hub) and the sites (Spokes) configuration are highlighted in the red box such as mapping the HQ tunnel ip address (10.0.0.1) to its public ip address (50.50.50.2) and the specification of the next hop server which is the HQ tunnel 0 ip address (10.0.0.1)
To leverage a dynamic routing protocol such as OSPF (Open Shortest Path First), setting the priority to 0 on the sites (Spokes) ensures that they will never be the DR or BDR in order to avoid LSA flooding and excluding the interface facing the internet from participating in OSPF.
EIGRP (Enhanced Interior Gateway Routing Protocol) or BGP (Border gateway protocol) works perfectly well over DMVPN, OSPF you cannot summarize within an area. This is a problem because all of the routers on the DMVPN must be in the same area, and therefore we are unable to send a summary route from the hub down to the spokes and use NHRP overrides for spoke to spoke traffic.
NHRP (Next Hop Resolution Protocol) is an integral part of DMVPN (Dynamic Multipoint Virtual Private Network) and plays a crucial role in establishing and maintaining dynamic IPsec tunnels within the network.
In a DMVPN deployment, NHRP is used to provide efficient resolution of next-hop addresses. When a spoke router needs to send a packet to another spoke, it uses NHRP to determine the appropriate next-hop router, which is usually the hub router. NHRP allows spokes to dynamically discover the IP address of the next-hop router and establish a shortcut tunnel directly to it.
The NHRP process involves three main components:
- NHRP Clients (spokes): The NHRP clients are the spoke routers in the DMVPN network. They send NHRP requests to resolve the next-hop IP address of the destination spoke router.
- NHRP Server (hub): The NHRP server is typically the hub router in the DMVPN network. It receives NHRP requests from the spokes and provides the necessary information to establish direct tunnels between spokes.
- NHRP Resolution Requests and Replies: When a spoke router wants to send a packet to another spoke, it sends an NHRP resolution request to the hub router, specifying the destination spoke’s registered name or IP address. The hub router checks its NHRP cache to determine if it knows the mapping between the destination and its current IP address. If the mapping is found, the hub router sends an NHRP resolution reply to the requesting spoke, providing the necessary information to establish a direct tunnel with the destination spoke.
show dmvpn
show ip route ospf
Network reachability from site-2 and Site-3
Thank you once again for taking the time to read my blog. Your support motivates me to keep striving for excellence and providing valuable content. I hope you continue to find my blog informative and enjoyable.