Dynamic Multipoint VPN is a highly scalable solution based on GRE that can be used as part of a virtual private network. It's often compared to frame relay in the way it logically connects endpoints. A big difference with frame relay, is that you needed a physical connection for the frame relay interfacing. With DMVPN, the hub and spoke interfaces are only logical, which makes it much cheaper and easier to use, ignoring the fact about the bandwidth capability of frame relay.

One of the use cases for DMVPN is as an alternative to MPLS. If you have multiple sites that need to be virtually directly connected, then having the service provider establish an MPLS is a very good solution. It provides reliable bandwidth, QoS and a private network. However, the cost for an MPLS circuit is higher than a regular internet connection and may be significant enough to look at DMVPN as an alternative. You lose some of the MPLS features, but you gain the flexibility of being independant of the SP and the price will be lower. You need to compare requirements for the network with the costs, to make the choice between the two options. If you have a small remote office with data that doesn't require critical stability, realtime low latency and high bandwidth, then the DMVPN is likely a good solution. There are a lot of advantages and disadvantages to DMVPN, but I won't get into detail on those. There are plenty of other good sources and well documented considerations when wanting to deploy a DMVPN on the internet. I might make another post exploring advantages and disadvantages, but it's a big topic in itself.

The tunnel encapsulation can be done in hardware on the routers. Because you are tunnelling and have to encapsulate every packet, the throughput performance will take a hit. Refer to the vendor and the models for specific data about this.

Configuration & DMVPN features

I've made separate posts for the sake of keeping it clean. All configuration will be avaiable on github, which I link to in the posts.

How DMVPN works

I go through the components used to create a DMVPN network. These include GRE, NHRP and the optional encryption with IPsec. I look at the differences of the 3 phases of DMVPN, which are different kind of implementations. The focus will be on phase 3 as it's the most dynamic/scalable implementation. I will also go through the configurations for the tunnel interfaces.

Beginning routing design for DMVPN

Initial configuration for setting up a DMVPN and a routing protocol. A more in depth look with router output, configuration and topologies.

DMVPN OSPF continued

The second and, for now, last post about OSPF in DMVPN.


First part of using EIGRP in DMVPN. It's a bit short, but it's a start.

It is not the focus of this article to discuss the actual security of MPLS or DMVPN, but only the configuration and use cases.