Question

Write a report on Dynamic multipoint VPN (DMVPN) and compare it to Hub and spoke VPN

note : page or page and half

Answer 1

What is DMVPN?

DMVPN technology is a solution proposed by Cisco to create a virtual tunnel between employees on the internet.

DMVPN consists of four major protocols:

1) mGRE (multipoint GRE):

It is a special GRE technology that is similar to multipoint frame relay technology and is also a typical NBMA network. The mGRE tunnel interfaces of all sites are on the same network segment. Any branch site that enters the mGRE network can not only communicate with the central site but also communicate directly with other branch sites. This shows that the first one of DMVPN is somewhat virtual. Mesh connectivity.

2) NHRP (Next Hop Address Resolution Protocol):

It is very similar to the ARP protocol in Ethernet. The NHRP is a mapping between the virtual address (ie, logical address) of the mGRE tunnel to a fixed configuration or dynamically obtained public IP address (ie, physical address) of each station. The branch site registers the tunnel virtual IP of the branch site with the dynamically obtained public IP address through the NHRP protocol. Because the registration is dynamic, the branch site supports the dynamic acquisition of the IP address.

3) Dynamic routing protocol:

The main purpose of the dynamic routing protocol is to announce the tunnel network and the private network behind the site so that each site can learn the route of the network behind other sites.

4) IPSEC technology:

IPSEC encrypts the traffic of mGRE. In fact, it can be understood that DMVPN is mGRE OVER IPSEC, IPSec VPN configuration is the same as IPsec VPN configuration in GRE OVER IPSEC. DMVPN also uses the transport mode.

Steps to configure DMVPN:

1) Configure mGRE and NHRP

2) Configure the dynamic routing protocol

3) Configure IPsec VPN

Let's take a look at how NHRP solves the problem of static IP addresses and makes the VPN "moving":

1. Dynamic tunnel establishment from branch to center (Spoke−to−Hub)

In a DMVPN network, there is no GRE or IPSec configuration information about the branch on the central router. On the branch router, the GRE tunnel must be configured according to the public IP address of the central router and the NHRP protocol.
When the branch router is powered on, the ISP obtains the IP address through DHCP, and automatically establishes an IPSec-encrypted GRE tunnel, and registers its own external network port IP address with the NHRP through the NHRP (it looks like a bounce connection).

There are three reasons for this:

1. Since the IP address of the branch network's external network port is automatically obtained, the IP address may be different each time it goes online, so the central router cannot configure according to the address information.

2. The central router does not need to configure GRE or IPSec information for all branches, which greatly simplifies the configuration of the central router. All relevant information is automatically available through NHRP. (ie: the branch reports its characteristics to the center)

3. When the DMVPN network is extended, it is not necessary to change the configuration of the central router and other branch routers. With the dynamic routing protocol, the newly joined branch router will be automatically registered to the central router. In this way, all other branch routers can learn this new route, and the newly added branch router can also learn the routing information to all other routers until convergence. (The central router is like the OSPF DR)

2. branch to branch (Spoke−to−Spoke) dynamic tunnel establishment

    In a DMVPN network, a branch-to-center (Spoke−to−Hub) tunnel persists once it is established, but there is no need to directly configure a continuous tunnel between branches. When a branch needs to pass a packet to another branch, it uses NHRP to dynamically obtain the IP address of the destination branch. In this process, the central router acts as the NHRP server, and provides the public branch address of the target branch to the source branch in response to the NHRP request. Therefore, an IPSec tunnel is dynamically established between the two branches through the mGRE port for data transmission. The tunnel will be automatically removed after a predefined period.

    In a DMVPN network, a branch-to-center (Spoke−to−Hub) tunnel persists once established, and there are no persistent tunnels between branches. In this way, after the router is initialized, the central router announces the reachable routes of other branch subnets to the branch router through the persistent tunnel. Here, it seems that the "multiple" "dynamic" problem has been solved, DMVPN can work normally, right? !

No! Currently, the "next hop" address of the branch router's routing table that reaches other branch subnets is still the tunnel port address of the central router, not the tunnel port address of other branch routers. As a result, the data transfer between the branch and the branch still passes through the central router.
    To solve this problem, the "next hop" address must be the tunnel port address of the branch router, not the address of the central router, when the central router is set to announce the reachable route of a branch subnet on the mGRE tunnel port.