Unpacking DMVPN and Making the Most of DMVPNs
DMVPN (Dynamic Multipoint Virtual Private Network) is a VPN solution that is designed to create tunnel connectivity between branch offices or between branch offices and hubs.
One of the key challenges in VPNs is the IP addressing scheme, especially if static IP is not available for the end-point. This creates the requirement for a solution such as DMVPN to support dynamic IP addresses, at least on the spokes (i.e. branch offices).
Another challenge for DMVPN type solutions is to support mesh architectures, i.e. branch to branch office (spoke to spoke) tunneling without having to go through the hub, as the number of mesh connections will be a number as high as N x N, where N is the number of spokes. This can easily become a limitation, especially with lower-end spoke devices. DMVPN handles this via dynamically generating the spoke-to-spoke tunnel, only when needed, i.e. only when there is traffic for the destination on the other end of the tunnel. This saves on resources and enables mesh or partial-mesh connectivity without hitting performance limits.
DMVPN uses Multipoint GRE (mGRE) tunneling interfaces to simplify the configuration. DMVPN uses Next Hop Resolution Protocol (NHRP) to keep track of the real public IP addressing of the spoke tunnels in a database. This NHRP database is used to get the real IP address of a target spoke whenever there is traffic for that destination and therefore the tunnel can be built on demand.
DMVPN supports NATing natively as a common use case is for the remote home office worker to VPN into the corporate network.
DMVPN networks can be used as a primary connectivity between branches but it is also not that uncommon for DMVPN to be the backup connectivity for a layer 2 MPLS network. Increasingly, companies are exploring leveraging DMVPN as an alternative to expensive MPLS lines, however, the roadblock has been the WAN performance of the broadband lines that the DMVPN rely on. However, technologies such as broadband bonding can resolve this shortcoming of DMVPN to replace MPLS without sacrificing on the performance and reliability. Broadband bonding can bring in cost-effective DSL, Cable, LTE or 5G wireless networks and combine them in such a way to create a unique blend of WAN connectivity that is both high performance and cost effective. Layering DMVPN transparently over broadband bonded WAN is an ideal solution for MPLS replacement.
DMVPN networks commonly carry application flows for real-time applications such as VOIP, SIP, video and of course data. The added benefit of a broadband bonded transport is the ability to dynamically steer application flows to match the required SLAs of the applications. These type of bonding tunnels are available that are application centric and therefore can be looked at as a specialized overlay transport that the DMVPN can take advantage of, to boost application performance and support strict SLAs.
IPSec encryption can be enabled or disabled with DMVPN. So the tunnel encryption can be left for the DMVPN or for the broadband bonding tunnel to accomplish. Usually the former is common, as the broadband bonding tunnel is added to the network that already has DMVPN.
Cahit Akin, CEO, Mushroom Networks, Inc.
Mushroom Networks is the provider of Broadband Bonding appliances that put your networks on auto-pilot. Application flows are intelligently routed around network problems such as latency, jitter and packet loss. Network problems are solved even before you can notice.