26-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter2 6 GRE and DM VPNs
Dynamic Multipoint VPNs (DMVPN)
When you configure the GRE Modes policy for a DMVPN, you can elect to allow spokes to create these
direct connections. You must select the DMVPN phase to use for these connections:
Phase 2—Spoke to spoke connections go through regional hubs and routing protocol updates from
hubs to spokes are not summarized.
Phase 3 (Default)—Spokes can create direct connections with each other and routing updates from
hubs to spokes are summarized. This option allows the greatest scalability and reduces latency.
Devices must run IOS Software release 12.4(6)T or higher; ASRs must run IOS XE Software release
2.4 (called 12.2(33)XND) or higher. Security Manager automatically creates a phase 2 configuration
for devices running a lower OS version.
For more information on configuring the GRE Modes policy, see Configuring GRE Modes for DMVPN,
page 26-12.
Related Topics
Understanding DMVPN, page 26-10
Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications
Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3
Advantages of DMVPN with GRE
Using DMVPN with GRE provides the following advantages:
Simplified GRE configuration on the hub
With GRE, a tunnel is configured on the hub for each connected spoke. With GRE + DMVPN, only
one tunnel is configured for all the connected spokes.
Support for dynamically addressed spokes
When using GRE, the physical interface IP address of the spoke routers must be configured as the
GRE tunnel destination address, when configuring the hub router. DMVPN enables spoke routers to
have dynamic external interface IP addresses, and provides robust configuration that does not have
to be redeployed to the device even if the external interface IP address changes. When the spoke
comes online, it sends to the hub registration packets that contain the physical interface IP address
of the spoke.
Dynamic tunnel creation for direct spoke-to-spoke communication
NHRP enables spoke routers to dynamically learn the external interface IP address of the routers in
the VPN network. Using NHRP, the hub maintains an NHRP database of the public interface
addresses of all the spokes (the clients). Each spoke registers its real address with the hub when it
boots.
When a spoke wants to transmit a packet to another spoke, it can use NHRP to dynamically
determine the required destination address of the destination spoke. The hub acts as the NHRP
server, handling the request for the source spoke. This enables the dynamic creation of an
IPsec+GRE tunnel directly between spoke routers, without having to go through a hub router, thus
reducing the delay of multiple encryption and decryption actions on the hub.