DMVPN: How this Cisco IOS technology can help cut 70% off your corporate phone bill, Part 1

If you work with Cisco IOS you need to know about DMVPN - the Dynamic Multipoint Virtual Private Network, which could help to cut up to 70% off your company's telephone bill. George Morton, dual CCIE 18532,

Router/Switch & Security of IT consultancy Madison Solutions, has written a whitepaper about this Cisco technology, which we will post over two parts. Part 1 begins today (Update: Part 2 is here.)  

Dynamic Multipoint Virtual Private Network, (DMVPN) is an idea whose time has come.  Now the telephone companies don’t want you to read about DMVPN.  So if you love your telephone company and don’t want to save up to 70% off your current telephone bill stop reading now.

With up to 70% savings over your current MPLS and Frame Relay networks you are going to have understand DMVPN.  So even if not today, DMVPN is in your future, so let’s start today.

Part 1 of this series will introduce DMVPN and Part 2 will discuss configurations. Later on, we’ll also publish articles that will discuss DMVPN in various applications that support business-to-business, supplier, customer, employee and stakeholders.

What is DMVPN?

DMVPN is a simple, secure, low cost, scalable, substitution for Frame Relay, MPLS-VPN, VPN-Tunnels, GRE, and /or Metro-Ethernet.   DMVPN supports distributed applications including: data, voice, video, with QoS. All of this can be done in a secure IPSec VPN tunnel over an Internet connection.   DMVPN is supported in Cisco IOS 12.2(T) routers from the 870 to the 7600. For the newest version of DMVPN, Phase 3 the IOS recommended starts with IOS 12.4(9)T1.

Historically moving away from a Telco managed network, has had a very limited appeal.  Moving to Internet based VPN topology has been complex to build, hard to manage, and is very limited when you attempt to scale the network.  Abandoning Frame or MPLS for Internet VPN services has not been worth the operational cost to maintain or scale.

With DMVPN the hub has a database created with Next Hop Resolution Protocol, (NHRP, RFC 2332).  So the hub has a simple multipoint GRE tunnel interface supporting multiple IPSec tunnels to all spokes.  Each spoke is connected to the hub with a simple configuration allowing you to cut-and-paste the DMVPN configuration on to any router.  The only change is the IP address of the GRE Tunnel.  The spoke uses dynamic discovery of IPSec tunnel end-points, (other spokes). No IPSec static configuration for each spoke.

The Economics of DMVPN

The savings come from easy of administration, but the cash savings comes from moving from managed T-1 services to ADSL, ADSL-2 and cable’s DOCSIS 3.0.

A 12Mbps x 896Kbps from Qwest in Denver with 24x7 support, and network based anti-virus for $140.00 a month.  For the home office the price is: $50.00 a month. Current T-1 Frame or MPLS run around $500.00 a month.  Savings: 360 / 500 = 72% savings.

The Spoke DMVPN routers can be 870 series for as little as $800, (Cisco 877).  With this configuration you would have an IOS firewall and DMVPN Phase 3. The total design for the spoke would be fiber to the building delivering 12Mbps down and 896Kbps up, with QoS, Firewall, and can all be managed with a common configuration and dynamic IP address from the service provider.   

Because DMVPN supports multipoint GRE tunneling you can run VoIP, Video, and Multicast services across your secure DMVPN link.  Cisco is calling this service V3PN.  For spokes that need to know about other spokes the DMVPN supports RIP, EIGRP, OSPF, and BGP. 

With installations the biggest problem is now how to control the end users.  I have been deploying two models based on the two main DMVPN configurations, Hub-and-Spoke, (H&S) and Spoke-to-Spoke, (S2S). With H&S the design allows the spoke to communicate with the hub but not other spokes.  This works best in a B2B environment where you don’t want clients to have access to each other.  Another feature deployed in this model is to NAT the spoke’s LAN connection into the Tunnel IP address to block any traffic back to the spoke.

For the S2S configurations data is not the issue, but voice and video.  Office to office communications and file sharing is the primary reasons for allowing 1,000,000 multipoint connections to exist at the same time.

The last element is Phase 1, Phase 2, and Phase 3 that can run with or without IPSec.  In the Medical example because the doctor’s offices link to the hub over Microsoft Terminal services, Microsoft is providing the encryption.  Microsoft Terminal Service allows the medical center to protect the Hub network with Active Directory login controls and restricts end user ability to upload nasty little surprises.  Even for Medical transcription Terminal Services are in use. 

With the world built around 24x7x365 having a multi-hub network at the core increases the reliability of the network and services that can be offered.  The above are two configurations offered by Cisco.   A third multi-hub model is one with a load balancer in front of the Hubs to expand to 20,000+ spoke network clients.

Conclusion

Cisco has been developing DMVPN for six years, with ADSL-2 and other high speed low cost links moving from managed Telco service makes sense.  Cisco in their documentation over and over again stresses the limits of this design are in the thousands per hub/multi-hub configuration.   A government deployed test run by Cisco had over 1,000 dynamic spokes fully meshed, that’s N*(N-1) or 1,000,000 dynamic tunnels.

If you think that you might never need a 1,000 spoke network, just think everyone in your office having the ability to work from home.   With Voice, Video, and services like Microsoft Terminal Server the risk to the network is greatly reduced.  Now you have the foundation plumbing for cloud computing.

More from Cisco Subnet:Is Cisco the Madonna of networking?Drive-by backing; A story from the fieldCisco targets packet shaping market with Application Performance Assurance moduleCisco's wise move of placing IOS inside VMware ESXPodcast: Can Cisco makes its mark in the collaboration game?

*

*

Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Now read: Getting grounded in IoT