Cisco iWAN technology is natural evolution of DMVPN.  DMVPN was introduced by Cisco 15 years ago around 2002.  Biggest driver for the technology was hybrid WAN, which provided the customers the ability to use commodity Internet to augment their existing MPLS connectivity.

The original intent of the Cisco Dynamic Multipoint VPN (DMVPN) architecture was to allow IPsec-GRE designs to scale. It evolved in multiple stages to increase efficiency and scalability and to support additional applications.

DMVPN creates overlay network architecture by joining diverse control and forwarding plane technologies, where each technology is intended to solve a specific problem.

Four independent technologies have been gathered together to form the core of DMVPN:

  • Multipoint Generic Route Encapsulation (mGRE)
  • Next-Hop Resolution Protocol (NHRP)
  • Dynamic Routing Protocols (EIGRP, RIP, OSPF, BGP)
  • IPsec encryption

The dependency on creating a subnet for creating routing adjacency is one of the challenges in using existing routing protocols for WAN routing. That requires an artificial creation of overlay subnet hence mGRE.

The mGRE uses a permanent IP address, that requires mapping with a dynamic public address assigned by the underlay carrier network to the private IP address.  That is why you need NHRP, in initial versions of DMVPN NHRP was used for mapping static private IP address of mGRE to public IP address of the services provider.  In later versions NHRP for enhanced to pass routing updates as well.

For the purpose of network security IPSec is the protocol of choice.  IPSec is used for for confidentiality, authentication, and integrity protection.  IPSec uses IKE for setting up control and management plane.  Whenever you have independent control plane protocol for one specific purpose you will have issues making them work coherently.

The use of different technologies and their integration into the DMVPN architecture has evolved with time, each phase making certain key changes that impact design. Following are the four major ‘phases’ of DMVPN and details on architecture designs based on each phase:

  • Phase 1: Provided straightforward encrypted hub-and-spoke connectivity.
  • Phase 2: First attempt to provide spoke-to-spoke connectivity. Cisco advises against this deployment for scalability reasons.
  • Phase 3: Used NHRP and distributed routing to improve spoke-to-spoke connectivity
  • Phase 4: Renamed to FlexVPN, and introduced VRF support and configuration improvements

DMVPN provided a solution that was very relevant for its time.  Due to nature of current architecture where you need to build arbitrary topology networks DMVPN will have to evolve into a true overly network without dependency on traditional routing protocol techniques.

Viptela architecture for scale and SDN

The fact that we don’t build overlay subnet-based routing adjacencies this has a big impact on simplicity removing any dependency for creating artificial overlay subnet to create WAN routing adjacencies.  Viptela architecture eliminates the need for mGRE and NHRP. Also, using SDN techniques of data and control plane separation you can introduce IKE less key distribution techniques for IPSec.  Since IPSec frame is very efficient for data plane and does not define specific key distribution technique.    Removing inter dependencies of multiple control planes and by creating a single control plane for both topology and policy improves scale by order of magnitudes.

There was always a use case for DMVPN for hybrid WAN, by removing complex multiple control planes into a single control plane for ubiquitous data plane fabric that is built for arbitrary connectivity for cloud topologies provides enterprise to fully achieve the benefits of hybrid WAN along benefits of cloud.

Benefits of using Viptela architecture are;

  • Reduced Operational Expenses: Lowers the cost of building secure scalable network that is based on policy not based on topology.
  • Conservation of Bandwidth: A Viptela configuration conserves WAN bandwidth while eliminating additional bandwidth requirements at the hub.
  • Flexible Solutions: Viptela offers a highly customizable solution, allowing each site to have different control policies at a control plane path level or data plan level.
  • Increased Uptime: With direct connectivity between remote sites, a viptela deployment eliminates many network delays.

Viptela architecture for next generation WAN

Viptela architecture is built on a single control plane that integrates policy, security, routing, segmentation and management. The biggest advantage as a result is operational simplicity. All major change control activities can be done in a few hours and not months while at the same time providing all the sophisticated enterprise-grade features.

Khalid Raza

Khalid Raza

Khalid is Co-founder and CTO at Viptela. A former Distinguished Engineer at Cisco, he is widely regarded as a visionary in Networking. Over 20 years Khalid has played an instrumental role in architecting networks for many Fortune 100 companies and Global Tier-1 carriers.