Automatic IP Security (IPsec) triggering for building an IP Sec tunnel
- Dynamic discovery of IPsec tunnel endpoints and crypto profiles; eliminates the need to configure static crypto maps defining every pair of IPsec tunnels.
Multipoint GRE (mGRE) tunnel interface
- Allows a single GRE interface to support multiple IPsec tunnels.
Dynamic Routing over VPN
- Enables IP routing tables to be securely distributed between the branch site and the corporate headend over encrypted tunnels. Allows improved reachability without needing to manually define allowed routes.
- Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF), and Border Gateway.
- Protocol (BGP) routing protocols are supported.
Reduced Configuration Overhead
- DMVPN eliminates the need to configure crypto maps tied to the physical interface, dramatically simplifying the number of lines of configuration required for a VPN deployment (e.g., for a 1000-site deployment, DMVPN reduces the configuration effort at the hub from 3900 lines to 13 lines).
- Adding new spokes to the VPN requires no changes at the hub.
- Simplifies configuration of split tunneling. Centralized configuration change at the hub controls the split tunneling behavior. In traditional IPsec, all the spokes need to be modified.
- Cisco DMVPN can be deployed in zero-touch deployment models using Easy Secure Device Deployment for secure PKI-based device provisioning. Devices can be bootstrapped remotely, avoiding the need for extensive staging operations.
Dynamic Spoke to Spoke Tunnels
- Direct spoke to spoke tunnels eliminate the need for spoke-to-spoke traffic to traverse the hub.
- Reduces latency for voice over IP (VoIP) deployments over DMVPN and improves effective throughput of the hub router.
- Tunnels are created dynamically when required and torn down after use, allowing the system to scale better (i.e., smaller spokes can participate in the virtual full mesh).
Dynamic Addressing for Spoke Routers
- Spoke routers can use dynamic IP addresses, a frequent requirement for Internet connections over cable and DSL.
Network Address Translation (NAT) Traversal
- DMVPN supports spoke routers running NAT or behind dynamic NAT devices, enabling enhanced security for branch subnets.
IP Multicast Support
- DMVPN supports IP Multicast traffic (between hub and spokes); native IPsec supports only IP Unicast. This provides efficient and scalable distribution of one-to-many and many-to-many traffic.
QoS Support Cisco DMVPN supports the following advanced QoS mechanisms:
- Traffic shaping at hub interfaces on a per-spoke or per-spoke-group basis.
- Hub-to-spoke and spoke-to-spoke QoS policies.
- Dynamic QoS policies wherein QoS templates are attached automatically to tunnels as they come up.
- Per-spoke QoS policing, allowing spokes to be differentiated, and protecting the network from being overrun by bandwidth hungry spokes.
- Cisco DMVPN enables routing-based failover.
- Dual WAN links and hub redundancy provide higher availability. DMVPN supports dual-hub designs, where each spoke is peered with two hubs, providing rapid failover.
- Multiple hub topologies allow uninterrupted spoke-to-spoke communication in the event of any single hub failure.
- DMVPN scales to thousands of spokes using server load balancing (SLB). Encryption can be integrated within the SLB device or distributed to dedicated headend VPN routers. Tunnels are load balanced over available hubs.
- Performance can be scaled incrementally by adding hubs.
- Hierarchical hub deployments allow enhanced scalability.
- Manageability support is provided through IPsec (including VRF-aware IPsec) MIB, NHRP MIB, and command-line interface (CLI).
- Next Hop Resolution Protocol (NHRP).
- Allows spokes to be deployed with dynamically assigned public IP addresses.
- VRF-aware DMVPN deployed at the provider edge hubs allows segregation of customer traffic.
Multiprotocol Label Switching (MPLS) Support (2547oDMVPN)
- MPLS networks can be encrypted over DMVPN tunnels.
Performance Base Routing (PfRv3) – Load Balancing
- PfR lets enterprises fully use WAN investments and avoid oversubscription of lines. The growth of cloud traffic, guest services, and video can easily be load balanced across all WAN paths.
Automatic Performance Optimization
- Reduces engineering operating expenses associated with manual network performance analysis and tuning of the routing infrastructure
- Ensure that mission-critical applications perform with the speed, availability, and reliability required for business success. Let business policies guide network traffic at the application level instead of the traditional IP prefix-based routing.
- Automatic detection of network problems and fast routing around poorly performing paths (within 2 seconds) maintains optimal application performance.
- Active detection of and routing around “black hole” conditions in the network (within 1 second) helps minimize the effects of network outages. Deliver up to 99. 999-percent uptime over any transport, such as MPLS, Internet, or hybrid
Granular Site by Site Control
- Scale to branch offices over any transport. Scale to thousands of sites (tens of thousands of traffic classes) without stacking deployments. Maintain granular control from the branch office to the data center and out to the public cloud.
- Use smart sensing, which turns off probing when it senses real traffic on the WAN links, also improving scalability.
SASE (Secure Access Service Edge), pronounced “sassy”, is a cloud-native technology that Gartner defined in 2019. SASE establishes network security as an integral, embedded function of the network fabric.
SASE supplants legacy services offered by single-purpose point-solutions located in location-locked corporate premises such as data centers.
Learn about the business use case and technical background of Secure Access Service Edge (SASE).
Secure Access Service Edge (SASE) for Dummies
Download our free e-book to learn about the business and technical background of SASE (Secure Access Service Edge) including best practices, real-life customer deployments, and the benefits that come with a SASE enabled organization.
High-availability is enabled by automatically detecting the failure of a WAN link or site and redirecting traffic to working links – to provide users with continuous service. WAN link controllers can also be configured in a high-availability mode with one WAN link controller acting as the primary, and a second WAN link controller as a hot standby.
By bundling (aggregating) multiple, diverse Internet links from one or more ISPs, a WAN link controller reduces the need to purchase multiple and expensive high-speed links. This enables you to increase bandwidth by using cost-effective links without compromising up-time. In addition to managing scalability and redundancy, you can cost-effectively utilize all available WAN bandwidth through intelligent link load balancing. WAN link controllers provide controls for how bandwidth is used to support applications and connectivity. This allows you to take advantage of the most cost-effective ISP rates while ensuring appropriate levels of bandwidth are available for specific applications.
The performance of applications over the WAN directly affects response time. This includes not just total average transaction time but assures that users located at performance-challenged sites (such as overseas branch offices) receive an acceptable level of performance. Performance is an important criterion for all networking equipment, but it is critical for a device such as a WAN link controller, as datacenters are central points of aggregation. As such, the WAN link controller needs to support high volumes of traffic delivered between sites. A simple definition of performance is how many bits-per-second the device can support. While this is extremely important, in the case of WAN link controllers, other key measures of performance such as how many WAN links can be supported simultaneously.
Network access and secure delivery of applications over the WAN is vital. Network security addresses key elements specific to applications going over the network, such as required levels of encryption, authentication, and maximum reasonable usage. Encrypted traffic tunnels behave differently on the network than clear text.
Scaling of applications delivered over the WAN is a critical consideration. It is important to understand how many users can use available network resources without having to spend large amounts of money to upgrade the network. It also affects how the network performs when a new version of software is deployed, etc. Performance requirements for accessing datacenter applications and data resources are usually characterized in terms of both the aggregate throughput of the WAN link controller and the number of simultaneous sessions that can be supported.
WAN link controllers should have an easy-to-use and initiative web interface for managing themselves and the WAN infrastructure they affect.