26-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 26 GRE and DM VPNs
Dynamic Multipoint VPNs (DMVPN)
Understanding DMVPN
Dynamic Multipoint VPN (DMVPN) enables better scaling of large and small IPsec VPNs by combining
generic routing encapsulation (GRE) tunnels, IP Security (IPsec) encryption, and Next Hop Resolution
Protocol (NHRP) routing. (For information about large scale DMVPNs, see Configuring Large Scale
DMVPNs, page 26-16.)
Security Manager supports DMVPN using the EIGRP, OSPF, and RIPv2 dynamic routing protocols, and
GRE static routes. In addition, On-Demand Routing (ODR) is supported. ODR is not a routing protocol.
It may be used in a hub-and-spoke VPN topology when the spoke routers do not connect to any router
other than the hub. If you are running dynamic protocols, ODR is not suitable for your network
environment.
You can use DMVPN on a hub-and-spoke VPN topology only with devices running Cisco IOS Software
release 12.3T devices and later, or ASRs running Cisco IOS XE Software 2.x or later (known as
12.2(33)XNA+ in Security Manager). DMVPN is not supported on Catalyst VPN Services Module
devices or on High Availability (HA) groups. If your device does not support DMVPN, use GRE
dynamic IP to configure GRE for dynamically addressed spokes. See Understanding GRE Configuration
for Dynamically Addressed Spokes, page 26-5.
The following topics provide more overview information on DMVPN:
Enabling Spoke-to-Spoke Connections in DMVPN Topologies, page26-10
Advantages of DMVPN with GRE, page 26-11
The following documents on Cisco.com explain DMVPN in further detail:
Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications—Explains
DMVPN technology and where and why you would use it. This data sheet explains the technologies
used with DMVPN and the benefits derived from those technologies.
Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3—Explains the difference between
phase 2 and phase 3 spoke-to-spoke connections. Creating spoke-to-spoke connections is a
configuration option with DMVPN. Phase 3 uses shortcut switching enhancements to increase
network performance and scalability.
Additional white papers and presentations are available at
http://www.cisco.com/en/US/products/ps6658/prod_literature.html.

Enabling Spoke-to-Spoke Connections in DMVPN Topologies

You can use DMVPN to essentially create a full-mesh VPN, in which traditional hub-and-spoke
connectivity is supplemented by dynamically-created IPsec tunnels directly between the spokes. With
direct spoke-to-spoke tunnels, traffic between remote sites does not need to traverse the hub; this
eliminates additional delays and conserves WAN bandwidth. Spoke-to-spoke capability is supported in
a single-hub or multihub environment. Multihub deployments provide increased spoke-to-spoke
resiliency and redundancy.
You can use the 80:20 traffic rule to determine whether to use a pure hub-and-spoke topology or to allow
direct spoke-to-spoke connections:
If 80 percent or more of the traffic from the spokes are directed into the hub network itself, deploy
the hub-and-spoke model.
If more than 20 percent of the traffic is meant for other spokes, consider the spoke-to-spoke model.
For networks with a high volume of IP Multicast traffic, the hub-and-spoke model is usually preferred.