April 25, 2024

Dynamic Multipoint VPN DMVPN Architecture

Dynamic Multipoint VPN DMVPN Architecture:

There is a number of different ways an engineer can implement a DMVPN network. The fact that there is a variety of DMVPN Architecture models, each one with its caveats and requirements, means that almost any VPN requirement can be met as long as we have the correct hardware, software license and knowledge to implement it. [boxads]

Speaking of implementation, no matter how complex the DMVPN network might get, it’s pretty straight forward once it’s broken down into sections.

Engineers already working with complex DMVPNs can appreciate this and see the simplicity in configuration they offer.  At the end, it’s all a matter of experience.

Providing configuration for each deployment model is out of this article’s scope, however, we will identify key services used in each deployment model along with their strong and weak points.

Future articles will cover configuration of all DMVPN Architecture deployment models presented here.

Following are the most popular DMVPN deployment models found in over 85% of DMVPN Architecture across the globe:

  • Single DMVPN Network/Cloud  – Single Tier Headend Architecture
  • Single DMVPN Network/Cloud  – Dual Tier Headend Architecture
  • Dual DMVPN Network/Cloud – Single Tier Headend Architecture
  • Dual DMVPN Network/Cloud – Dual Tier Headend Architecture

In every case a complete DMVPN deployment consists of the following services, also known as control planes:

  1. Dynamic Routing (Next Hop Resolution Protocol)
  2. mGRE Tunnels
  3. Tunnel Protection – IPSec Encryption that protects the GRE tunnel and data

It’s time now to take a look at each deployment model.

Single DMVPN Network/Cloud – Single Tier Headend Architecture

This deployment model is DMVPN Architecture in its simplest form.  It consists of the main Hub located at the headquarters and remote spokes spread amongst the remote offices.

DMVPN Architecture
DMVPN Architecture

The term ‘Single DMVPN’ refers to the fact there is only one DMVPN network in this deployment.  This DMVPN network consists of the yellow GRE/IPSec Hub-and-Spoke tunnels terminating at the central Hub from one end and the remote spokes on the other end.

The term ‘Single Tier Headend’ means that all control planes are incorporated into a single router – the Hub. This means it takes care of the dynamic routing (NHRP), mGRE tunnels and IPSec Tunnel Protection.

The central hub maintains the Next Hop Resolution Protocol (NHRP) database and is aware of each spoke’s public IP address.

When setting up a DMVPN Architecture network, every spoke is configured, using static NHRP mappings, to register with the Hub. Through this process, every spoke is aware of every other’s public IP address via the NHRP server (Hub), no matter if the spokes IP addresses are dynamic or static.

Through DMVPN, each spoke is able to dynamically build a VPN tunnel to each other spoke, allowing the direct communication between them without needing to tunnel all traffic through the main Hub. This saves valuable bandwidth, time and money.

We should at this point note that in Phase 1 DMVPN, all traffic passes through the Hub.  Phase 2 and Phase 3 DMVPN, directly forms spoke-to-spoke tunnels and sends traffic directly, bypassing the Hub.

The Single DMVPN – Single Tier Headend Architecture has the advantage of requiring only one Hub router, however, the Hub’s CPU is also the limiting factor for this deployment’s scalability as it undertakes all three control planes (NHRP, mGRE & IPSec protection).

In addition the Hub router, and its link to the Internet, is the single point of failure in this design. If any of the two (Hub or Internet link) fail, it can cripple the whole VPN network.

This DMVPN Architecture model is a usual approach for a limited budget DMVPN network with a few remote branches.  Routing protocols are also not required when implementing a single DMVPN network/cloud. Instead, static routes can be used with the same end result.

Single DMVPN Network/Cloud – Dual Tier Headend Architecture

This DMVPN Architecture deployment consists of two routers at the headquarters. The first router, R1, is responsible for terminating the IPSec connections to all spokes, offloading the encryption and decryption process from the main Hub behind it. The Hub router undertakes the termination of mGRE tunnel, NHRP server and processing of all routing protocol updates.

Single DMVPN Network
Single DMVPN Network

The only real advantage offered by the Dual Tier Headend Architecture (Single DMVPN cloud) is that it can support a significantly greater number of spokes.

A limitation of Dual Tier Headend Architecture is the absence of the spoke-to-spoke connections, in Dual Tier DMVPN spoke-to-spoke connections are not supported.

Dual DMVPN Network/Cloud – Single Tier Headend Architecture:

[adsense] The Dual DMVPN topology with spoke-to-spoke deployment consists of two headend routers, Hub 1 and Hub 2.  Each DMVPN network (DMVPN 1 & DMVPN 2) represents a unique IP subnet, one is considered the primary DMVPN while the other is the secondary/backup DMVPN.

Dual DMVPN Network
Dual DMVPN Network

The dynamic Spoke-to-Spoke tunnels created between branches must be within a single DMVPN network.  This means that spoke-to-spoke tunnels can only be created between spokes in the same DMVPN network.

With Dual DMVPN – Single Tier Headend Architecture, each Hub manages its own DMVPN network. Each Hub undertakes the task of IPSec encryption/decryption, mGRE Tunnel termination and NHRP Server for its DMVPN Architecture.  A routing protocol such as EIGRP or OSPF is usually implemented in this type of setup to ensure automatic fail-over in case the primary DMVPN fails.

Dual DMVPN – Single Tier Architecture is considered an extremely flexible and scalable setup as it combines the best of both worlds – that is, true redundancy with two separate Hubs and DMVPN Architecture networks, plus support for spoke-to-spoke tunnels. [bodyads]

Dual DMVPN Network/Cloud – Dual Tier Headend Architecture

The Dual DMVPN Network – Dual Tier Headend combines the previous two deployment methods in one setup.

The Dual DMVPN Network – Dual Tier Headend consists of two Hubs that deal only with mGRE tunnels and NHRP services, each Hub managing its own DMVPN Architecture network.

Front end routers R1 and R2 take care of all IPSec termination for all spokes, performing encryption/decryption as data enters or exits the IPSec tunnels.

Newer ISR G2 routers are capable of undertaking great quantities of number crunching for all VPN tunnels as they are equipped with hardware accelerated VPN modules that offload this process from the main CPU.

Dual DMVPN Network Architecture
Dual DMVPN Network Architecture

As with Dual DMVPN – Single Tier deployment model, each Hub manages its own DMVPN network and connections with its spokes. Routing protocols are a necessity to ensure automatic fail-over to the secondary DMVPN network in case the primary fails.

Unfortunately, as with all Dual Tier deployments, we lose the spoke-to-spoke ability, but this might not be a limitation for some.


Hi! I am Shahed Israr. I try to help GPON Technology users with their queries and provide them with relevant and accurate information to the best of my ability. My main goal is to assist and enhance GPON Technology user and help people find the answers they're looking for quickly and easily.

Follow Me:
TwitterFacebookLinkedInPinterestGoogle PlusDiggYouTubeRedditDelicious

Visited 72 times, 1 visit(s) today




Hi! I am Shahed Israr. I try to help GPON Technology users with their queries and provide them with relevant and accurate information to the best of my ability. My main goal is to assist and enhance GPON Technology user and help people find the answers they're looking for quickly and easily.

View all posts by Shahed →

One thought on “Dynamic Multipoint VPN DMVPN Architecture

  1. Dear Sir,

    It is very nice article for sharing post of DMVPN, I am interested in DMVPN Single tier Headen. I just doubted, how to configure DMVPN Single tier Headen?
    Please show me the configuration please.

    Sincerely yours,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

error: Content is protected !!