Cisco’s Dynamic Multipoint VPN (DMVPN) Deployment Challenges

by 3, Oct, 2016Network Management

Thousands of organizations have been able to slash costs using Cisco’s Dynamic Multipoint VPN (DMVPN). This technology was introduced some time ago and is most used for enabling fully meshed communication for mobile workers, telecommuters and extranet users.

What is DMVPM?

DMVPN is a Cisco IOS ® Software-based security solution for building scalable enterprise VPNs that support distributed applications such as voice and video. DMVPN is a combination of the following technologies:

  1. Multipoint GRE (mGRE),
  2. Next-Hop Resolution Protocol (NHRP),
  3. Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP),
  4. Dynamic IPsec encryption,
  5. Cisco Express Forwarding (CEF).

DMVPM Major Wins:

  • Simplifies branch communication: On-demand full mesh connectivity with simple hub-and-spoke configuration
  • Versatility. Adding remote sites requires virtually no configuration. Cisco DMVPN can be deployed in zero-touch deployment models using Easy Secure Device Deployment for secure PKI-based device provisioning. Devices can be bootstrapped remotely, avoiding the need for extensive staging operations.
  • Improves business continuity – Cisco CMVPN enables routing-based resiliency, providing extremely rapid failover capabilities.

DMVPN Challenges?

Rolling out QoS for Voip & Video is challenging enough but traffic shaping over links that do not offer protection of policies is a daunting proposition, remembering all the while that the internet is not QoS aware!

Should we even consider the value of end to end QoS? Clark Zoeller, LiveAction Sales Engineer makes these points in his Blog with a range of links available that each have differing and variable bandwidth, its easy to understand why network engineers become frustrated managing QoS over these connections.

We can achieve success however by applying global policies at hub level, shapiing the tunnel to individual spokes (parent/child policy) which allows us to differenciate data flows with the NHRP group selecting spake, shape & policy. Here is a great article highlighting this on Networking with Fish – DMVPN & Per-Tunnel QoS.

Like everything else here Prosperon we believe in Design, a well thought out Lab to Lab implementation is key to success, considering these points:

  • Protecting your high priority traffic by means of DMVPN tunnels
  • Restrict casual internet traffic from affecting these tunnels
  • Remember that the maximum bandwidth between two points is that of the lowest connection between them

The challenge continues however because you are looking at hundreds of lines of configuration code from already existing policies at the datacentre as well as now at each hub, this is where a tool like LiveAction can minimize this element of configuration pain using its powerful QoS control engine and rich visualization capabilities to configure, monitor, troubleshoot and validate DMVPN policies fast, so that DMVPN is more about ROI and less about challenges.

Training Course: SolarWinds Training Courses

Matt Crane

Matt Crane

Director of Sales & Marketing

Matt Crane is the Director of Sales & Marketing at Prosperon Networks. Matt has years of experience working with SolarWinds customers and prides himself on delivering solutions that meet the needs of customers.

Training Course: SolarWinds Training Courses

Related Insights From The Prosperon Blog

Share This