Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Dynamic Multipoint Virtual Private Network
open-in-new
<h2 id="process">Process</h2> <p>DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including <a href="/facts/IPsec/01MwcET1">IPsec</a> (Internet Protocol Security) and <a href="/facts/ISAKMP/qmfWuLtF">ISAKMP</a> (Internet Security Association and Key Management Protocol) peers.<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> DMVPN is initially configured to build out a <a href="/facts/Spoke%E2%80%93hub_distribution_paradigm/zlBXTU02">hub-and-spoke network</a> by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p> <h2 id="technologies">Technologies</h2> <ul><li><a href="/facts/Next_Hop_Resolution_Protocol/18bk8TMh">Next Hop Resolution Protocol</a>, <a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://datatracker.ietf.org/doc/html/rfc2332">2332</a></li> <li>An IP-based routing protocol, <a href="/facts/Enhanced_Interior_Gateway_Routing_Protocol/KIcfLjbh">EIGRP</a>, <a href="/facts/Open_Shortest_Path_First/PACpGUHb">OSPF</a>, <a href="/facts/RIPv2/xGeIuGk6">RIPv2</a>, <a href="/facts/Border_Gateway_Protocol/XfYgBzW3">BGP</a> or <a href="/facts/On_Demand_Routing/APyHLhE6">ODR</a> (DMVPN hub-and-spoke only).<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a></li> <li><a href="/facts/Generic_Routing_Encapsulation/0TQRDUMK">Generic Routing Encapsulation</a> (GRE), <a href="/facts/RFC_(identifier)/esftTvE7">RFC</a> <a href="https://datatracker.ietf.org/doc/html/rfc1701">1701</a>, or multipoint GRE if spoke-to-spoke tunnels are desired</li> <li><a href="/facts/IPsec/01MwcET1">IPsec</a> (Internet Protocol Security) using an IPsec profile, which is associated with a virtual tunnel interface in IOS software. All traffic sent via the tunnel is <a href="/facts/Encrypted/16q29Fdv">encrypted</a> per the policy configured (IPsec transform set)</li></ul> Internal routing <p><a href="/facts/Routing_protocol/LH5U2Qh5">Routing protocols</a> such as <a href="/facts/OSPF/PACpGUHb">OSPF</a>, <a href="/facts/Enhanced_Interior_Gateway_Routing_Protocol/KIcfLjbh">EIGRP v1 or v2</a> or <a href="/facts/Border_Gateway_Protocol/XfYgBzW3">BGP</a> are generally run between the hub and spoke to allow for growth and scalability. Both <a href="/facts/EIGRP/KIcfLjbh">EIGRP</a> and BGP allow a higher number of supported spokes per hub.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> </p> Encryption <p>As with <a href="/facts/Generic_Routing_Encapsulation/0TQRDUMK">GRE</a> tunnels, DMVPN allows for several <a href="/facts/Encryption/16q29Fdv">encryption</a> schemes (including none) for the encryption of data traversing the tunnels. For security reasons Cisco recommend that customers use <a href="/facts/Advanced_Encryption_Standard/HdXGBY2Q">AES</a>.<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> </p> Phases <p>DMVPN has three phases that route data differently. </p> <ul><li>Phase 1: All traffic flows from spokes to and through the hub.</li> <li>Phase 2: Start with Phase 1 then allows spoke-to-spoke tunnels based on demand and triggers.</li> <li>Phase 3: Starts with Phase 1 and improves scalability of and has fewer restrictions than Phase 2.</li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="http://www.cisco.com/go/dmvpn">Cisco DMVPN</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Cisco engineers. "Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs)". Cisco. Cisco. Retrieved 24 September 2017. <a href="https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Huawei DSVPN Configuration <a href="http://support.huawei.com/enterprise/docinforeader.action?contentId=DOC1000019452&partNo=10092" target="_blank">http://support.huawei.com/enterprise/docinforeader.action?contentId=DOC1000019452&partNo=10092</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Kurniadi, S. H.; Utami, E.; Wibowo, F. W. (Dec 2018). "Building Dynamic Mesh VPN Network using MikroTik Router". Journal of Physics: Conference Series. 1140: 012039. doi:10.1088/1742-6596/1140/1/012039. ISSN 1742-6596. <a href="https://doi.org/10.1088%2F1742-6596%2F1140%2F1%2F012039" target="_blank">https://doi.org/10.1088%2F1742-6596%2F1140%2F1%2F012039</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"Datacenter Proxies Explained: What It Is and How It Works". Retrieved 2024-09-18. <a href="https://anyip.io/blog/what-are-datacenter-proxies" target="_blank">https://anyip.io/blog/what-are-datacenter-proxies</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>DMVPN Design Guide: Using a Routing Protocol Across the VPN <a href="http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html#wp37674" target="_blank">http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html#wp37674</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>DMVPN Design Guide: Routing Protocol Configuration <a href="http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html#wp38033" target="_blank">http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html#wp38033</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>DMVPN Design Guide: Best Practices and Known Limitations <a href="http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html#wp37110" target="_blank">http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_1.html#wp37110</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> </ol>