Dynamic Multipoint Virtual Private Network (DMVPN)

“If you read someone else’s diary, you get what you deserve.”

—David Sedaris

This chapter covers the following subjects:

• DMVPN Overview: This section provides an overview of the advantages DMVPN provides and compares DMVPN to the legacy site-to-site crypto map solution.

• DVMPN Network Components: This section examines the components of DMPVN and how they work together to create a dynamic solution.

• DMVPN Design Considerations: This section discusses design issues that must be considered before deploying a DMVPN solution as well as the differences between DMVPN phase 1, DMVPN phase 2, and DMVPN phase 3 configuration.

• DMVPN Hub-and-Spoke Implementation for IPv4: This section steps through a basic DMVPN hub-and-spoke IPv4 configuration. Examples demonstrate how the DMVPN components interact to provide a comprehensive three-router solution.

• DMVPN Hub-and-Spoke Implementation for IPv6: This section steps through a basic DMVPN hub-and-spoke IPv6 configuration.

• DMVPN Troubleshooting: This section discusses how to troubleshoot DMVPN components and provides potential solutions.

This chapter covers the following exam objectives:

• 1.0 Site-to-site Virtual Private Networks on Routers and Firewalls

  • 1.2 Describe uses of DMVPN

• 3.0 Troubleshooting using ASDM and CLI

  • 3.1 Troubleshoot IPsec

  • 3.2 Troubleshoot DMVPN

• 4.0 Secure Communications Architectures

  • 4.1 Describe functional components of GETVPN, FlexVPN, DMVPN, and IPsec for site-to-site VPN solutions

  • 4.3 Recognize VPN technology based on configuration output for site-to-site VPN solutions

  • 4.6 Design site-to-site VPN solutions

Learning beyond the SVPN concepts:

• DMVPN Overview

• DMVPN Foundational Concepts

• DMVPN Design Considerations

In earlier chapters of this book, you have seen that secure VPN technology varies and has been adapted to be used in many different architectures by vastly different organizations. This chapter explores a dynamic adaptation of the site-to-site VPN solution. Traditional site-to-site VPNs did not scale easily, and Dynamic Multipoint Virtual Private Network (DMVPN) was designed to dynamically establish connections with minimal administrative overhead. Furthermore, traditional site-to-site VPNs had various challenges in supporting dynamic routing protocols, voice over IP (VoIP), and streaming video. All of these technologies are needed to support large-scale telecommuter and remote branch networks. In addition, the dynamic nature of DMVPN enables optimization of network paths, which in turn reduces latency and jitter, which are detrimental to VoIP and video. Organizations are finding that dedicated WAN circuits are no longer necessary for remote connectivity. In its place, organizations are using the Internet and secure communication through VPN technology to achieve the same benefits at a fraction of the cost.

A short summary of the value of DMVPN is that it can lower capital and operation expenses, simplify branch communications, reduce deployment complexity, and improve business resiliency. This is why DMVPN is a widely used VPN option and one you will need to master before attempting the SVPN exam. The SVPN exam expects you to be able to describe the components within a DMVPN deployment, recognize DMVPN configuration components, and troubleshoot a DMVPN deployment.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read the entire chapter. If you miss no more than one of these self-assessment questions, you might want to move ahead to the “Exam Preparation Tasks” section of the chapter. Table 5-1 lists the major headings in this chapter and the “Do I Know This Already?” quiz questions related to the material in each of those sections to help you assess your knowledge of these specific areas. The answers to the “Do I Know This Already?” quiz appear in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”

Table 5-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping

1. What are some of the benefits of DMVPN technology compared to legacy site-to-site VPN solutions? (Choose three.)

1. Multicast support

2. Crypto map enhancement

3. QoS support

4. Dynamic routing protocol capabilities

5. Complex administrative overhead

2. What is the primary reason companies select DMVPN over a legacy crypto map VPN solution?

1. Static Internet addresses

2. Dynamic Internet addresses

3. Complex configuration overhead

4. GRE support

3. What advantages does DMVPN offer that a crypto map–based VPN does not? (Choose two.)

1. Scalability

2. Lack of routing protocol support

3. Reduced configuration overhead

4. Increased bandwidth requirements

4. What are the key components of DMVPN? (Choose all that apply.)

1. mGRE

2. OSPF

3. NHRP

4. Static routes

5. IPsec

6. Routing protocols

5. Which DMVPN component is responsible for mapping the tunnel IP address to an external IP address?

1. OSPF

2. NHRP

3. ISAKMP

4. mGRE

6. Which DMPVN component enables the use of dynamic routing protocols across an IPsec tunnel?

1. OSPF

2. NHRP

3. IPsec

4. GRE

7. Which of the routing protocols used with DMVPN face a split-horizon issue? (Choose two.)

1. OSPF

2. EIGRP

3. BGP

4. RIP

8. Which routing protocol for use with DMVPN faces a non-broadcast multiple-access (NBMA) challenge that must be addressed?

1. OSPF

2. EIGRP

3. BGP

4. RIP

9. Which design considerations must you consider for DMVPN? (Choose two.)

1. The number of IP address ranges

2. The number of remote sites

3. External IP addresses

4. The need for quality of service (QoS) in applications

10. What is the difference between DMVPN phase 2 and DMVPN phase 3?

1. There is no difference; they both support only hub-and-spoke solutions.

2. DMVPN phase 2 supports hub-and-spoke solutions, and DMVPN phase 3 also supports spoke-to-spoke.

3. DMVPN phase 2 has smaller routing tables.

4. DMVPN phase 3 has smaller routing tables.

11. What key word on a hub router enables connections from any remote spokes?

1. multicast

2. dynamic

3. host

4. map

12. Which command for EIGRP prevents a hub router from setting the router advertisement out to a spoke to its own IP address?

1. no ip split-horizon eigrp 1

2. ip eigrp 1 non-broadcast

3. no ip broadcast eigrp 1

4. no ip next-hop-self eigrp 1

13. Which command would show whether the spoke router is registered with the NHS?

1. show ip nhrp detail

2. show ip nhs detail

3. show ip nhrp nhs detail

4. show ip nhrp client