One of the most interesting feature of DMVPN as far as my personal opinion goes is its extended support for VRF on MPLS networks.
Remember, VRF allows multiple instance of routing tables to co-exist on the same router at the same time.
Having said that, DMVPN helps scalling out tradional IPSEC hub-and-spoke VPN configuration by setting permanent and temporary connections, respectively from the spoke routers to the hub router and between the spoker routers as needed. That has for result to aleviate traffic from the hub router and therefore providing Netowrk Performance, Scalability and better Traffic control management.
Having said that, DMVPN relies on the following protocols
IPSEC: pre-shared keys used to secure the traffic
mGRE: mGRE allows us to encapsulate multicast packets (i.e OSPF packets) and to setup a speudo-virtual tunnel interface to link our sites
NHRP: Without NHRP, our GRE tunnel cannot be established. NHRP stands for “Next Hop Resolution Protocol” and allows our server to know what the peer sites IPs are. The NHRP server (HUB) will be answering NHRP request for IP discovery of peers to form tunnels.
A routing protocol: OSPF, RIP, BGP etc…
Important things to keep in mind
- IPSEC in “Transport Mode”
When setting the tunnel, make sure to use “transport” mode with IPSEC, since the encapsulation of the IP packet in an ESP header is done already with GRE. This allows you to save 20 bytes on the MTU ;-)
** - Use RIP for default routes**
I know, you are probably ready to pull out your hair, but in a large DMVPN network, using RIP could help scale out than another routing protocol such as OSPF… calculating adjacencies are CPU intensive ;-)