DMVPN combine gre tunnels with IPSEC protiction actully its called mGRE mean multipoint gre, this kind of vpn considred very scaleable because u need to make only one tunnel interface at the HUB side and also one tunnle interface at the spoke side then all other tunnles will be automatic and the communications between spokes will be for first packet spoke > HUB > spoke then all the subsequent packets will be SPOKE > SPOKE directly
in addition u dont need a static public IP address for each device only one IP requered for the HUB router
DMVPM is the combination of multiple technologies (IPSEC,MGRE, Dynaminc IGP routing and NHRP).
IPSEC = provides regular encryption/authenticaiton/integrity etc.
MGRE = The 'GRE' allows multicast/non-IP protocols to go over IPSEC VPN, otherwise its not possible. MGRE allows you to use 'one' tunnel interface to connect multiple VPN peers thereby increasing management and scalability. It differentiates different flows by the help of a tunnel key.
NHRP = Allows the HUB to learn the addresses of the spoke automatically easing management. It also allows the spokes to learn the current Public/Dynamic IPs of other spokes to form direct 'spoke-2-spoke' tunnels to increase scalability.
IGP Routing: Allows the VPN sites to learn about the VPN subnets of each site.
New spoke/branch sites need no change at hub site. Only at the spokes (so it is not pure 'auto configure' as you describe).
Is it possible to have a Hub-Spoke setup using DMVPN where some of the spokes act as hubs for other spokes?
I'm trying to create a three level network where the center of it all is the corporate office. The corporate office is the Hub for the main branch offices, and the remote branch offices are spokes of the main branch offices.
Thank you for any help that you might be able to provide.
it is possible which is called by cisco DMVPN phase 3 ( and recomended) in your case is the hirarchical one(muti-hub). u have to make the HQ office the server and hub for the branches, then the branch offices will be the hubs for the remote offices
I've got HQ setup as a server and hub for the branches. To setup the branches as both a server and hub for the remotes, do I simply use a second Tunnel Interface? And if that's the case, I'm guessing that I would need to use a seperate network-id & tunnel key, but is there anything else that needs to distinguish the second mGRE as seperate?
Thank you for your previous reply. I've rated accordingly. If you're able to help me again, I'd be happy to accomidate.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...