dynamic multipoint VPN (DMVPN)

A dynamic multipoint virtual private network (DMVPN) is a secure network that exchanges data between sites without needing to pass traffic through an organization's headquarter virtual private network (VPN) server or router.

VPNs traditionally connect each remote site to the headquarters; the DMVPN essentially creates a mesh VPN topology. This means that each site (spoke) can connect directly with all other sites, no matter where they are located.

A DMVPN service runs on VPN routers and firewall concentrators.  Each remote site has a router configured to connect to the company’s headquarters VPN device (hub), providing access to the resources available. When two spokes are required to exchange data between each other -- for a VoIP telephone call, for example -- the spoke will contact the hub, obtain the necessary information about the other end, and create a dynamic IPsec VPN tunnel directly between them.

Direct spoke-to-spoke deployments provide a number of advantages when compared to traditional VPN deployments:

  • Traffic between remote sites does not need to traverse the hub (headquarter VPN router).
  • A DMVPN deployment eliminates additional bandwidth requirements at the hub.
  • DMVPNs eliminate additional network delays.
  • DMVPNs conserve WAN bandwidth.
  • They lower costs for VPN circuits.
  • They increase resiliency and redundancy.
DMVPN at a glance

DMVPN deployments include mechanisms such as GRE tunneling and IPsec encryption with Next Hop Resolution Protocol (NHRP) routing that are designed to reduce administrative burden and provide reliable dynamic connectivity between sites. It is in every company’s advantage to make use of DMVPN where possible, to help reduce WAN costs and increase bandwidth and reliability.

This was last updated in November 2011

Continue Reading About dynamic multipoint VPN (DMVPN)

Dig Deeper on WAN technologies and services