IWAN Wed: Securing Your Transport Independence with DMVPN
Your IWAN topology will most likely consist of one or more internet connections which means that your data will be traveling over untrusted connections and shared environments so security is going to be top of mind. So how do you secure your data over the internet and other untrusted or shared environments? Well DMVPN (Dynamic Multi-point Virtual Private Network) is based on VPN the same technology that many of you use today to securely connect back to your office when you are traveling or working from home. A VPN will create a tunnel between two end-points and then encrypt all data traveling over the tunnel. VPN’s can connect users to a remote site, client-to-site VPN, or connect two remote sites, site-to-site VPN. Unlike VPN, DMVPN can securely connect multiple points together dynamically.
So how does DMVPN work and what is the benefit to IWAN? DMVPN works on top of your WAN infrastructure which means that DMVPN tunnels will be established between branch sites as traffic flow demands. In a common hub and spoke topology example, when data needs to be sent from the spoke to the hub site, the spoke will establish a VPN tunnel to the hub by registering first with the hub. In order for each tunnel to function a new dynamic IP address is created at the branch since the hub site will initiate the connection. In order for data to be routed between sites over the DMVPN tunnels, routing information will need to be exchanged. As more tunnels are created there will be more dynamically created IP addresses and traditional routing protocols like BGP or EIGRP are used to efficiently share routing information so all sites can talk to each other. Lastly QoS is applied to each tunnel to ensure that the hub site does not oversubscribe the spoke sites.
One of the key benefits of IWAN is transport independence and that wouldn’t be possible without DMVPN. Transport independence has three main characteristics:
- Simplified WAN Design. Physically IWAN can have multiple connections between sites and multiple sites connecting to single sites so DMVPN helps to create a virtual ‘overlay’ network on top of the physical infrastructure that simplifies connectivity.
- Dynamic Fully Meshed Connectivity. The ability to automatically created secure tunnels between sites where bandwidth is required. In a hub and spoke configuration data passing from spoke to spoke will need to pass through the hub router, however with DMVPN a tunnel can be established between spoke sites to avoid oversubscribing the hub router.
- Secure Transport. Certified encryption standards ensure all data transfer is protected and more importantly maintaining security as the IWAN topology scales.
As you can see DMVPN plays an important role in how IWAN functions and more importantly how it helps to secure and guarantee application delivery over any connection. To learn more about IWAN and DMVPN visit http://www.cisco.com/go/iwan