Traffic between Branch 1 and Branch 2 has to be tunneled directly. Traffic between Branch 3 and Branch 4 has to be tunneled directly. Multipoint GRE, as the name implies allows us to have multiple destinations. When we use them, our picture could look like this: When we use GRE Multipoint, there will be only one tunnel interface on each router. The HQ for example has one tunnel with each branch office as its destination.
|Published (Last):||23 August 2005|
|PDF File Size:||7.85 Mb|
|ePub File Size:||8.48 Mb|
|Price:||Free* [*Free Regsitration Required]|
Because mGRE tunnels do not have a tunnel destination defined, they cannot be used alone. These include: Simplified Hub Router Configuration. No more multiple tunnel interfaces for each branch spoke VPN.
No matter how many Spoke routers connect to the Hub, the Hub configuration remains constant. Spoke routers can use dynamic public IP Addresses. Spoke routers are able to dynamically create VPN Tunnels between them as network data needs to travel from one branch to another. Lower Administration Costs. Optionally, IPSecurity can be configured to provide data encryption and confidentiality. IPSec is used to secure the mGRE tunnels by encrypting the tunnel traffic using a variety of available encryption algorithms.
The following requirements have been calculated for a traditional VPN network of a company with a central hub and 30 remote offices. All spokes connect directly to the hub using a tunnel interface.
The hub router is configured with three separate tunnel interfaces, one for each spoke: Each GRE tunnel between the hub-spoke routers is configured with its unique network ID. In addition, the hub router has three GRE tunnels configured, one for each spoke, making the overall configuration more complicated. In case no routing protocol is used in our VPN network, the addition of one more spoke would mean configuration changes to all routers so that the new spoke is reachable by everyone.
Lastly, traffic between spokes in a point-to-point GRE VPN network must pass through the hub, wasting valuable bandwidth and introducing unnecessary bottlenecks. With mGRE, all spokes are configured with only one tunnel interface, no matter how many spokes they can connect to. All tunnel interfaces are part of the same network. In our diagram below, this is network Furthermore, spoke-to-spoke traffic no longer needs to pass through the hub router but is sent directly from one spoke to another.
The flexibility, stability and easy setup it provides are second-to-none, making it pretty much the best VPN solution available these days for any type of network.
Understanding Cisco DMVPN
Cisco DMVPN uses a centralized architecture to provide easier implementation and management for deployments that require granular access controls for diverse user communities, including mobile workers, telecommuters, and extranet users. Dynamic discovery of IPsec tunnel endpoints and crypto profiles: eliminates the need to configure static crypto maps defining every pair of IPsec peers, further simplifying the configuration. Routing Protocol: used to learn network between hub and spokes. The hub maintains an NHRP database of the public interface addresses of the each spoke. Each spoke registers its real address when it boots; when it needs to build direct tunnels with other spokes only on phase2 and phase3 , it queries the NHRP database for real addresses of the destination spokes.
Questions? Contact a Training Specialist
NHRP: No node found. Tunnel IP addr The NHS may immediately reply to the client. Again, R2 replies back across the hub and send a Resolution Request packet: first, directly R3 — this attempt fails - then it sends the resolution request to the NHS.
Dynamic Multipoint Virtual Private Network
Understanding Cisco Dynamic Multipoint VPN - DMVPN, mGRE, NHRP