Dynamic Multipoint Virtual Private Network

A virtual private network, or VPN, uses a 'pipe' system, most commonly the internet to establish a private network connection between two end-points. This connection uses generic router encapsulation (GRE) to communicate and transfer packets of data. This transfer of data alone is not secure, and businesses therefore use IPsec (IP security) to secure their data. However, large businesses commonly have more than one branch, and a communication issue between these branches has led to the creation of the Dynamic Multipoint VPN (DMVPN). Originally, separate branches would have to run all communication and data through a businesses's main location or headquarters to get the data to a second branch. A DMVPN removes that problem by creating a universal GRE tunnel to which all branches have access. The branches can hence use a common GRE tunnel (multiple GRE, or mGRE) to communicate directly with another branch while using IPsec to protect traffic. mGRE's allow a single GRE interface to support multiple IPSec tunnels (Firewall.cx, 2012). The Next Hop Resolution Protocol (NHRP) allows branches non-broadcast multi-access (NBMA) for businesses that want to privately transfer data over the internet. (Chen, 2011). The NHRP is used to resolve dynamic address issue of multiple nodes. DMVPN configuration consists of building a hub-and-spoke network that statically configures hubs on the spokes (Pote, 2014).

DMVPN's are used to privately and securely transfer data across the internet within one organization. For example, if a healthcare organization transfers a patient to another hospital that provides the appropriate care needed for the patient, protected health information (PHI) will need to be digitally transferred to the new hospital. In order to transfer the patient's information securely and in a timely manner, a DMVPN is used to transmit the data from one hospital to the next. Implementing a DMVPN both decreases administrative costs and simplifies configuration (Firewall.cx, 2012).

DMVPN's are provided by CIsco, which is widely used throughout health organizations
external image 2000px-Cisco_logo.svg.png

Web resources:
Youtube: DMVPN implentation
Cisco definition
In-depth technological description

Related terminology:
VPN (Virtual Private Network)
GRE (Generic router encapsulation) (build a logical pipe across the internet)
IPSec (Internet Protocol Security)
NHRP (Next Hop Resolution Protocol)

Firewall.cx. Understanding cisco dynamic multipoint VPN - DMVPN, MGRE, NHRP. (2012, September 1). Retrieved October 29, 2015, from http://www.firewall.cx/cisco-technical-knowledgebase/cisco-services-tech/896-cisco-dmvpn-intro.html
Firewall CX Definition

Cisco IOS DMVPN overview. (2008, February 1). Retrieved October 29, 2015, from http://www.cisco.com/c/dam/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/DMVPN_Overview.pdf

Pote, P. (2014, September 18). Patent WO2014139646A1 - Communication in a dynamic multipoint virtual private network.
DMVPN patent

Chen, H. (2011). Design and implementation of secure enterprise network based on DMVPN, Business Management and Electronic Information, vol.1, 506-511, 13-15, doi: 10.1109/ICBMEI.2011.5916984


Cisco Image