Overview: This session if for those wanting to obtain additional information about the more current method of implementing a large scale VPN deployment using Cisco routers and firewalls. There is mystery and confusion about what DMVPN is and how it can benefit the enterprise. Dynamic Multipoint VPN (DMVPN) is a combination of features that help reduce some of the complexities of a central location to multiple branch locations needing a secure communications path (VPN). It uses multipoint GRE (mGRE) and Next-Hop Resolution Protocol (NHRP) to help create a hub or multi-hub and spoke topology. Security may or may not be involved, depending on the need of a given site.
Both mGRE and NHRP are relatively new, therefore there is less understanding in the technology than the legacy methods for accomplishing the same tasks. I will explain the technologies used and show how they can benefit the enterprise.
Multipoint GRE Normally a GRE tunnel is a point to point interface, with a defined source and destination. In a hub and spoke network, there would have to be n number of tunnel interfaces on the hub router for each of the spoke locations. With an mGRE tunnel, the hub router only needs to have a single tunnel interfaces, with n number of destinations. The issue is defining the destination or next hop of the tunnel, in walks NHRP.
Next-Hop Resolution Protocol NHRP is defined in RFC 2332, which was defined to create a distributed mapping database of all spoke tunnels to real address for NBMA networks. The hub router will act as a server of the registration of the spoke routers acting as clients. The configuration of the hub router is minimal, the spokes are the one initiating the connections. There are mapping that need to be configured from spoke to hub, but not the other way around. The hub will dynamically build the relationship based on the spoke's initial requests. There has to be an underlying transport that will allow communication between the spokes and the hub.
Putting it together Spokes have a dynamic permanent GRE tunnel to the hub, but not to other spokes. They register as clients of the NHRP server. When a spoke needs to send a packet to a destination (private) subnet behind another spoke, it queries the NHRP server for the real (outside) address of the destination spoke. Now the originating spoke can initiate a dynamic GRE tunnel to the target spoke (because it knows the peer address). The spoke-to-spoke tunnel is built over the mGRE interface.
Areas Covered in the Session:
Who Will Benefit: