You are here
Cisco DMVPN Video Guide to Configuration and Deployment
Submitted by admin on Wed, 03/12/2014 - 17:38
Dynamic Multipoint VPN (DMVPN) was originally set out to provide a more economical alternative to other WAN technologies like Frame Relay and MPLS. During the first few years after its inception, implementing DMVPN was a bit of a challenge as there were limited features, bug issues, and people lack of understanding. Now that the difficult time has passed, DMVPN is very much considered a mature technology and has become a viable low-cost WAN solution due its scalability and security, not to mention many features that have been added over the years. In addition, as the cost of internet continues to drop, and given the reliability of internet today, people begin to feel more comfortable running their business applications, even VoIP, across the internet so it is no longer rear to find DMVPN being used as a primary WAN connection.
Lab Minutes have put together a series of video tutorial to help you, not only learn how to configure DMVPN on Cisco router, but also understand the underlying technologies and operations so that you are fully equipped and ready to deploy DMVPN in your network, or prepared for certification.
This article will guide you through DMVPN videos that are available on our website, either as free online steaming or video download, and provide overview of how to best utilize these video to maximize your learning experience. For more information on the technology, please consult Cisco documentation.
DMVPN operates with hub routers being central of intelligence that has complete knowledge of all spoke sites, and responsible for coordinating connection establishment between spokes. Next Hop Resolution Protocol (NHRP) provides a mechanism for spoke routers to make themselves known to the hub via a process of registration. Since NHRP is essentially DMVPN without encryption, it makes the most sense to first study NHRP and that way, we will also be able to look inside NHRP packets while they are still unencrypted. The first two videos cover NHRP in different phases. Without giving too much away, Phrase 1 supports the most basic topology with Hub-to-Spoke. Phrase 2 extends the capability to support dynamic Spoke-to-Spoke tunnel, while Phrase 3 increases scalability with support of route summarization and hierarchy to enable Spoke-to-Spoke tunnel across multiple DMVPN clouds. As a side note, despite the fact that we run EIGRP as our routing protocol in our labs, many other routing protocols are also compatible with DMVPN.
At this point, you should have a good understanding of NHRP and hopefully have NHRP functioning in your network setup. The next step is to simply apply an encryption layer on top using IPSec, and you just got yourself a DMVPN. The next two videos show how to enable IPSec encryption on tunnel interfaces which will allow all GRE traffic to be encapsulated inside IPSec. We will repeat the same 3 phrases but this time concentrate on the crypto side of the configurations.
Redundancy is almost required to guarantee network uptime so the next few videos demonstrate two most commonly-used DMVPN designs; Dual Hub Dual Cloud and Dual Hub single Cloud, and also discuss pros and cons to each method. In contrast to the first two methods that rely on routing to achieve failover, the third method uses clustering feature that allows spoke to choose which hub router in the cluster to register and perform failover on its own.
- SEC0003 - DMVPN Redundancy - Dual Hub Dual Cloud
- SEC0004 - DMVPN Redundancy - Dual Hub Single Cloud
- SEC0012 - DMVPN NHS Cluster and Recovery Backup
Here are some miscellaneous features that are also available for you to consider when implementing DMVPN.
Per-Tunnel QoS feature allows unique QoS policy (queuing, policing, shaping etc.) to be applied outbound at a Hub router towards each spoke. This provides a great deal of flexibility as oppose to being able to only apply a single QoS policy at the physical or tunnel interface collectively to all traffic.
DHCP Tunnel Support feature allows an IP to be dynamically assigned to tunnel interface at a spoke router so that you no longer need to worry about managing IP within a DMVPN cloud. Convenience does come with a price now that DHCP server can potentially become another point-of-failure, and the tunnel IP becomes unpredictable. While some people still like to statically assign IP to their sites with the site number embedded in the IP, this feature might be seen as less desirable.
So hopefully these videos have provided enough working knowledge on DMVPN, and with minor modification, any configuration that you have seen here can readily be applied to any production environment. If you have any question, feel free to post them under the corresponding video page or Lab Minutes forum.
All videos referenced in this guide are available for purchase under Cisco DMVPN Video bundle