[go: nahoru, domu]
Wikipedia

Dynamic Multipoint Virtual Private Network

This is an old revision of this page, as edited by Jbrunner007 (talk | contribs) at 09:26, 2 January 2006. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

DMVPN (Dynamic multipoint virtual private network) is an enhancement of the virtual private network configuration process of Cisco IOS based routers. DMVPN prevents the need for pre-configured (static) IPSEC peers in Crypto map configurations and isakmp peer statements. This feature of Cisco IOS allows greater scalability over previous ipsec configurations. An ipsec tunnel between two Cisco routers may be created on an as needed basis. Tunnels may be created between a spoke router and a hub router (vpn headend), or between spokes. This greatly alleviates the need for the hub to route data between spoke networks, as was common in a non-fully meshed frame relay topology.

A DMVPN Spoke is configured with one or more hub ip addresses. DMVPN hub ip addresses are typically static, such as at a corporate headquarters. DMVPN spoke ip addresses may be static, or dynamic. An example would be a dmvpn spoke router acting as a dhcp client on a dsl or cable providers network. The spoke router is configured with the hub's ip address, allowing it to connect when online. The hub router does not need to be configured with the ip addresses of the spoke routers. This allows many spoke vpn routers to be deployed without the need to configure additional peers on the hub(s). In the past the configuration of the hub grew whenever a spoke vpn router was added to the ipsec network.

To avoid routing through the hub router for spoke-to-spoke traffic, NHRP (next hop resolution protocol, RFC 2332) is used for spoke discovery. A dmvpn spoke router learns of the static or dynamic ip address of other spoke routers, using nhrp. Additional ipsec tunnels are created as needed for spoke-to-spoke traffic. These tunnels are town down after they are no longer needed, to conserve resources. This is a great benefit to delay sensitive traffic, such as ip telephony and other real-time applications. A spoke router's delay going through the hub to reach other spokes is now avoided. For redundancy, a spoke router can be mapped to one or more dmvpn hubs.

For internal routing, a dynamic routing protocol is used between the spokes and hubs, as well as other spokes. Cisco EIGRP, or OSPF routing protocols are commonly used for further scalability. DMVPN is considered by many engineers as superior to early dynamic ipsec technologies such as TED (tunnel endpoint discovery).

In summary DMVPN is a frame-work technology, comprised of

1. an IPSEC profile, which is associated to a virtual tunnel interface in IOS software. Traffic sent via the tunnel is encrypted per the policy configured (ipsec transform set) 2. GRE (generic routing encapsulation), or multipoint gre if spoke-to-spoke tunnels are desired 3. NHRP (next-hop resolution protocol) 4. A dynamic routing protocol, such as Cisco EIGRP or OSPF

For sample configurations or more on the technology please visit www.cisco.com

Retrieved from "https://en.wikipedia.org/w/index.php?title=Dynamic_Multipoint_Virtual_Private_Network&oldid=33580420"