Dynamic Multipoint VPN (DMVPN)

DMVPN is an old¹ Cisco-proprietary technology that combines NHRP, IPsec, IKEv2 and multipoint GRE tunnels to build dynamically-provisioned multi-access VPNs.

The easiest way to master DMVPN is to watch the ipSpace.net DMVPN webinars, and every now and then someone still finds them somewhat useful:

• Advanced DMVPN Webinar: Router Configurations
• DMVPN: How to Get from Zero to Hero?
• DMVPN Deployment Success Story
• Feedback: DMVPN Webinars

I also wrote dozens of DMVPN-related blog posts. Hope you’ll enjoy them!

The Basics

DMVPN always relies on a hub-and-spoke topology, but enables direct communication between spokes (Phase-2 DMVPN) and simplified routing with NHRP redirects (Phase-3 DMVPN).

• DMVPN Phase 1 Fundamentals
• DMVPN Phase 2 Fundamentals
• The Fundamental Difference between Phase 2 and Phase 3 DMVPN
• DMVPN Scalability
• Is Anyone Using DMVPN-over-IPv6?

Routing Protocols in DMVPN Networks

Routing protocols face significant challenges in DMVPN networks due to very large number of directly-connected neighbors, with EIGRP faring better than OSPF, and BGP being the only viable solution in deployments with a very large hub-to-spoke ratio.

• EIGRP Summarization in DMVPN Phase 2 Networks
• Solution: EIGRP Summarization Breaks Phase 2 DMVPN
• Can You Run OSPF over DMVPN?
• Using BGP in Phase 1 DMVPN network
• OSPF Configuration in Phase 1 DMVPN Network
• Configuring OSPF in a Phase 2 DMVPN network
• More OSPF-over-DMVPN Questions
• OSPF-over-DMVPN Using Two Hub Routers
• More Private AS Numbers
• BGP Routing in DMVPN Networks
• Scaling BGP-Based DMVPN Networks
• Changes in IBGP Next Hop Processing Drastically Improve BGP-based DMVPN Designs
• Reducing BGP SNMP Traps in DMVPN Networks
• DMVPN Split Default Routing
• Another DMVPN Routing Question

Typical DMVPN Designs

• Sometimes You Need to Step Back and Change Your Design
• VPN Network Design: Selecting the Technology
• DMVPN as a Backup for MPLS/VPN
• Redundant DMVPN designs, Part 1 (The Basics)
• Redundant DMVPN Designs, Part 2 (Multiple Uplinks)
• Regional Internet Exits in Large DMVPN Deployment

DMVPN Deployment Guidelines

• DMVPN: from Concept to Pilot in 36 Hours
• MPLS/VPN-over-GRE-over-IPSec: Does It Really Work?
• Migrating from Phase 1 DMVPN to Phase 2/3 Network
• Combining DMVPN with Existing MPLS/VPN Network
• Real Life BGP Route Origination and BGP Next Hop Intricacies
• Building a DMVPN Test Lab with netlab

Integration with Other Network Technologies

• End-to-End QoS marking in MPLS/VPN-over-DMVPN networks
• Spoke-to-Spoke IP Multicast over DMVPN?
• QoS in Large-Scale DMVPN Networks
• DMVPN: Spoke QoS Challenge
• RSVP over DMVPN
• Inter-VRF NAT in DMVPN Deployments

DMVPN Alternatives

• DMVPN or Firewall-Based VPNs?
• Open-Source DMVPN Alternatives

Quirks and Implementation Details

I wrote numerous blog posts documenting DMVPN quirks while preparing the materials for the DMVPN webinars. Most of these blog posts were written in early 2010s and might no longer be relevant.

• Tunnel Route Selection and DMVPN Tunnel Protection Don’t Work Together
• uRPF Violation Logging Is Not Working on 12.4T
• DMVPN: Non-Unique NHRP Registrations
• DMVPN Spoke NHRP Behavior Changed in IOS Release 15.0M
• NHRP Convergence Issues in Multi-Hub DMVPN Networks
• NHRP Rate Limiting Can Hurt Your DMVPN Network
• The Impact of Changed NHRP Behavior in DMVPN Networks

Other Blog Posts Vaguely Related to DMVPN

• DMVPN: Fishing Rod or Grilled Tuna?
• Where Would You Need GRE?
• Viptela SEN: Hybrid WAN Connectivity with an SDN Twist
• Should I Use L2VPN+MACSEC or L3VPN+GETVPN?
• Use Existing (DMVPN) Device Configurations in netlab