Automatic IP Security (IPsec) triggering for building an IP Sec tunnel
- Dynamic discovery of IPsec tunnel endpoints and crypto profiles; eliminates the need to configure static crypto maps defining every pair of IPsec tunnels.
Multipoint GRE (mGRE) tunnel interface
- Allows a single GRE interface to support multiple IPsec tunnels.
Dynamic Routing over VPN
- Enables IP routing tables to be securely distributed between the branch site and the corporate headend over encrypted tunnels. Allows improved reachability without needing to manually define allowed routes.
- Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway.
- Protocol (BGP) routing protocols are supported.
Reduced Configuration Overhead
- DMVPN eliminates the need to configure crypto maps tied to the physical interface, dramatically simplifying the number of lines of configuration required for a VPN deployment (e.g., for a 1000-site deployment, DMVPN reduces the configuration effort at the hub from 3900 lines to 13 lines).
- Adding new spokes to the VPN requires no changes at the hub.
- Simplifies configuration of split tunneling. Centralized configuration change at the hub controls the split tunneling behavior. In traditional IPsec, all the spokes need to be modified.
- Cisco DMVPN can be deployed in zero-touch deployment models using Easy Secure Device Deployment for secure PKI-based device provisioning. Devices can be bootstrapped remotely, avoiding the need for extensive staging operations.
Dynamic Spoke to Spoke Tunnels
- Direct spoke to spoke tunnels eliminate the need for spoke-to-spoke traffic to traverse the hub.
- Reduces latency for voice over IP (VoIP) deployments over DMVPN and improves effective throughput of the hub router.
- Tunnels are created dynamically when required and torn down after use, allowing the system to scale better (i.e., smaller spokes can participate in the virtual full mesh).
Dynamic Addressing for Spoke Routers
- Spoke routers can use dynamic IP addresses, a frequent requirement for Internet connections over cable and DSL.
Network Address Translation (NAT) Traversal
- DMVPN supports spoke routers running NAT or behind dynamic NAT devices, enabling enhanced security for branch subnets.
IP Multicast Support
- DMVPN supports IP Multicast traffic (between hub and spokes); native IPsec supports only IP Unicast. This provides efficient and scalable distribution of one-to-many and many-to-many traffic.
QoS Support Cisco DMVPN supports the following advanced QoS mechanisms:
- Traffic shaping at hub interfaces on a per-spoke or per-spoke-group basis.
- Hub-to-spoke and spoke-to-spoke QoS policies.
- Dynamic QoS policies wherein QoS templates are attached automatically to tunnels as they come up.
- Per-spoke QoS policing, allowing spokes to be differentiated, and protecting the network from being overrun by bandwidth hungry spokes.
- Cisco DMVPN enables routing-based failover.
- Dual WAN links and hub redundancy provide higher availability. DMVPN supports dual-hub designs, where each spoke is peered with two hubs, providing rapid failover.
- Multiple hub topologies allow uninterrupted spoke-to-spoke communication in the event of any single hub failure.
- DMVPN scales to thousands of spokes using server load balancing (SLB). Encryption can be integrated within the SLB device or distributed to dedicated headend VPN routers. Tunnels are load balanced over available hubs.
- Performance can be scaled incrementally by adding hubs.
- Hierarchical hub deployments allow enhanced scalability.
- Manageability support is provided through IPsec (including VRF-aware IPsec) MIB, NHRP MIB, and command-line interface (CLI).
- Next Hop Resolution Protocol (NHRP).
- Allows spokes to be deployed with dynamically assigned public IP addresses.
- VRF-aware DMVPN deployed at the provider edge hubs allows segregation of customer traffic.
Multiprotocol Label Switching (MPLS) Support (2547oDMVPN)
- MPLS networks can be encrypted over DMVPN tunnels.
Performance Base Routing (PfRv3) – Load Balancing
- PfR lets enterprises fully use WAN investments and avoid oversubscription of lines. The growth of cloud traffic, guest services, and video can easily be load balanced across all WAN paths.
Automatic Performance Optimization
- Reduces engineering operating expenses associated with manual network performance analysis and tuning of the routing infrastructure
- Ensure that mission-critical applications perform with the speed, availability, and reliability required for business success. Let business policies guide network traffic at the application level instead of the traditional IP prefix-based routing.
- Automatic detection of network problems and fast routing around poorly performing paths (within 2 seconds) maintains optimal application performance.
- Active detection of and routing around “black hole” conditions in the network (within 1 second) helps minimize the effects of network outages. Deliver up to 99. 999-percent uptime over any transport, such as MPLS, Internet, or hybrid
Granular Site by Site Control
- Scale to branch offices over any transport. Scale to thousands of sites (tens of thousands of traffic classes) without stacking deployments. Maintain granular control from the branch office to the data center and out to the public cloud.
- Use smart sensing, which turns off probing when it senses real traffic on the WAN links, also improving scalability.