26-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter2 6 GRE and DM VPNs
Dynamic Multipoint VPNs (DMVPN)
Dynamic Multipoint VPNs (DMVPN)
Dynamic Multipoint VPN (DMVPN) is a hub-and-spoke VPN technology that enables better scaling of
large and small IPsec VPNs by combining generic routing encapsulation (GRE) tunnels, IP Security
(IPsec) encryption, and Next Hop Resolution Protocol (NHRP) routing.
This section contains the following topics:
Understanding DMVPN, page 26-10
Configuring DMVPN, page 26-12
Configuring GRE Modes for DMVPN, page 26-12
Configuring Large Scale DMVPNs, page 26-16
Configuring Server Load Balancing in Large Scale DMVPN, page26-17
Configure Unique Tunnel
Source for each Tunnel
When enabled, each GRE tunnel interface in the VPN is assigned a
unique tunnel source. In the Tunnel Source IP Range field, enter a
subnet IP to be used as tunnel sources.
Note When enabled, this feature is set for all GRE tunnel interfaces
in the VPN. If you want to assign a specific tunnel source for an
interface, use the Peers policy to configure the endpoints for the
desired devices; see Defining the Endpoints and Protected
Networks, page 24-33.
Tunnel Source IP Range
(GRE Dynamic IP only.)
The private IP address including the unique subnet mask that supports
the loopback for GRE. The GRE tunnel interface has an IP address
(inside tunnel IP address) which is taken from a loopback interface that
Security Manager creates specifically for this purpose.
When a spoke has a dynamic IP address, there is no fixed GRE tunnel
source address (to be used by the GRE tunnel on the spoke side) or
destination address (to be used by the GRE tunnel on the hub side).
Therefore, Security Manager creates additional loopback interfaces on
the hub and the spoke to use as the GRE tunnel endpoints. You must
specify a subnet from which Security Manager can allocate an IP
address for the loopback interfaces.
Enable IP Multicast When selected, enables multicast transmissions across your GRE
tunnels. IP multicast delivers application source traffic to multiple
receivers without burdening the source or the receivers, while using a
minimum of network bandwidth.
Rendezvous Point Only available if you selected the Enable IP Multicast check box.
If required, you can enter the IP address of the interface that will serve
as the rendezvous point (RP) for multicast transmission. Sources send
their traffic to the RP. This traffic is then forwarded to receivers down
a shared distribution tree.
Table26-1 GRE Modes Page for GRE or GRE Dynamic IP VPNs (Continued)
Element Description