Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

What is a dynamic multipoint VPN? DMVPN explained

A dynamic multipoint VPN offers organizations an innovative way to streamline network operations. Imagine connecting multiple branch offices to your central corporate hub without the tedious task of setting up point-to-point links at each site. This article covers what a DMVPN is, how it works, its advantages, and everything else you should know if you’re considering setting one up.

What is a dynamic multipoint VPN? DMVPN explained

Table of Contents

Table of Contents

What is a DMVPN? DMVPN meaning

A dynamic multipoint virtual private network (DMVPN) is a network configuration that allows various remote sites, referred to as “spokes,” to securely exchange data directly with each other, bypassing the need to route this data through a central VPN server or “hub.”

Picture the network as a bicycle wheel. The hub is the central point that helps each spoke to connect and access necessary resources. After establishing these connections, the spokes can communicate directly with each other, regardless of their location.

This arrangement allows data to flow directly between spokes without passing through the hub, improving the network’s efficiency and speeding up communication.

DMVPN vs. regular VPN

A DMVPN offers a flexible and scalable network solution for large companies with changing needs. It simplifies adding or removing locations by automatically updating network routes, making it less labor-intensive than a traditional VPN.

Additionally, a DMVPN enhances network efficiency by enabling direct connections between sites after the initial setup, which helps prevent slowdowns at the central hub. Traditional VPNs work well for smaller, static networks, but managing multiple fixed connections can become complex and resource-intensive as the network expands.

DMPVN vs. mesh networks

In a DMPVN, spoke-to-spoke tunnels can be established on demand, bypassing the hub. Similarly, mesh networks automatically reroute data in response to network changes. Both systems aim to optimize network efficiency by reducing unnecessary hops and potentially lowering latency.

The choice between a DMPVN and mesh networks essentially depends on specific deployment needs. A DMPVN is typically more suitable if you prioritize centralized control and ease of configuration. Conversely, mesh networks are the better option for maximizing uptime and ensuring high fault tolerance.

How does a DMVPN work?

A DMVPN works by allowing branch locations to communicate directly with each other over a public WAN or internet connection. In this setup, each remote site is configured with VPN routers and firewall concentrators to connect to the company’s headquarters VPN hub.

When two spokes need to exchange data, such as during a VoIP (voice over IP) call, one spoke contacts the hub to obtain information about the other spoke’s current dynamic IP address. Once the initiating spoke has the destination IP address, it can establish a dynamic IPsec VPN tunnel directly with the other spoke. This setup bypasses the need for a permanent VPN connection by utilizing a centralized hub-and-spoke model.

Traditional VPN connections between spokes and the hub involve permanent spoke-to-hub tunnels, but a DMVPN introduces a dynamic approach by creating on-demand spoke-to-spoke tunnels. These dynamic IPsec VPN tunnels are established only when needed.

infographic: how dmvpn works

DMVPN components

Besides spokes, hubs, VPN routers, and firewall concentrators, a DMVPN includes four additional components:

  • Multipoint GRE (mGRE)
  • NHRP (next hop resolution protocol)
  • Dynamic routing protocols
  • IPsec (not required but recommended)

Multipoint GRE

First, what is mGRE? Multipoint generic routing encapsulation (mGRE) is a protocol used in DMVPN deployments to create multipoint GRE tunnels connecting multiple spokes and the central hub. Unlike traditional point-to-point GRE tunnels, which link only two endpoints, an mGRE tunnel allows a single VPN tunnel to connect numerous endpoints.

Think of the mGRE network like a roundtable dinner where everyone can talk to everyone else — no single server exclusively provides or controls the flow of conversation or, in our case, data. With mGRE, spokes can directly communicate with each other over the DMVPN network, eliminating the need to route all traffic through the central hub.

NHRP

The next hop resolution protocol (NHRP) functions as a directory service in DMVPN setups, actively aiding spoke routers in locating each other’s public IP addresses. For example, if a branch router wants to connect to another, it has to query the NHRP server for the destination router’s public IP address.

The NHRP server promptly checks its cache and provides the necessary information, including the destination IP address. This seamless process ensures clear and efficient communication among routers within the DMVPN network.

Routing protocols

Routing protocols help determine the best route for data to travel across the network. DMVPN supports dynamic routing protocols like EIGRP, OSPF, and BGP. Each has its strengths and is suited for different network sizes and types. For small-scale networks, OSPF is a preferred choice. For larger setups, EIGRP or BGP might be more suitable.

Moreover, routing protocols can dynamically adjust to network changes. For example, if new spoke routers are added or an existing link fails, routing protocols automatically update the routing tables to reflect these changes.

IPsec

In a DMVPN setup, IPsec encrypts data moving between the hub router and spoke routers. This encryption protects sensitive information and keeps it confidential as it travels across public networks.

DMVPN phases

The DMVPN design model is structured into three phases.

Phase 1

In the initial phase of a DMVPN, all spoke-to-spoke traffic routes through the central hub router. Each spoke connects to the hub router using standard point-to-point GRE tunnel interfaces and requires only a summary or default route to reach other spokes. This direct method simplifies the routing configuration, facilitating easier management in networks with multiple remote locations.

Phase 2

Initially, all traffic between spokes must pass through the central hub, which can lead to bottlenecks as the network grows. However, the DMVPN phase 2 changes this by allowing spokes to establish direct connections after initial contact through the hub. Using information from the hub, each spoke sets up a direct tunnel with the other, exchanging IP addresses and security parameters.

This arrangement allows data to flow directly between spokes without routing through the hub. These direct connections, identified by their unique IP addresses and carried out by multiple IPsec tunnels, stay active for a set period or until no longer necessary.

Phase 3

The DMVPN phase 3 increases independence and efficiency by allowing spokes to manage their own connections and routing with minimal help from the hub. Once the hub DMVPN router sets up the initial connection, spokes directly share routing information and traffic using dynamic protocols like OSPF or EIGRP.

NHRP also helps spokes keep track of the network’s layout, enabling them to set up and handle their own routes. In this phase, each tunnel can be assigned a unique tunnel key to ensure traffic is segregated and routed correctly through each dynamically established path.

Advantages of a DMVPN

Setting up a dynamic multipoint VPN provides several advantages.

Lower administrative costs

A DMVPN simplifies managing a wide-area network (WAN) by reducing setup tasks. You don’t need to configure complex security settings for each connection or modify the central network hub to add new spokes. Additionally, a DMVPN eliminates the necessity for costly dedicated leased lines between network sites.

More flexibility

A DMVPN simplifies network management by dynamically adding new sites and managing traffic routing. Simplified hub router configuration reduces the manual setup network administrators have to handle, lowering the complexity and overhead of network management.

Additionally, a DMVPN’s flexible design lets organizations easily add or remove sites without significant changes to their overall network infrastructure. This feature makes it ideal for growing businesses that need to expand their networks dynamically.

Reduced bandwidth

Direct links between remote sites improve bandwidth use in DMVPN setups. In a traditional hub-and-spoke model, the hub manages all traffic, which can cause congestion, especially during peak times. With DMVPN, data can go straight from one remote site to another, skipping the hub. This direct communication helps spread out the traffic evenly, reducing jitter.