Tech Blog and Case Studies

How we reduced a customer’s WAN expenses using DMVPN technology



The customer is a medium-sized Financial Company headquartered in the US, which currently has 30 branch offices in the US and in other countries.  This company is growing its business and plans to open 10 more offices in the next 5 years.  The customer’s current infrastructure is managed and hosted by a managed service provider (MSP).  The future requirement is to have two redundant connections at each site, one to the MSP and the other to the Internet (using ADSL, Ethernet, 3G etc).  The customer requested that the IP network design/solution not only provide a transport for various data, voice and video applications, but also it has to be highly secure since they are running on top of the most open and untrusted network, the Internet. Any threats that are present can make the services unavailable.

Security Goals

  • Eavesdropping: customer traffic should be protected using encryption to prevent unauthorized capture of traffic.
  • Malicious content: traffic should be filtered to prevent malicious traffic from damaging customer endpoints.
  • Threats to network resources: The network infrastructure should be protected from malicious packets and denial-of-service (DoS) attacks, to ensure a uninterrupted service.

Our Solution

Based on the customer requirement, VeeMost engineering team offered a suitable solution i.e. Dynamic Multipoint VPN (DMVPN) to this customer.

DMVPN is a Cisco software-based security solution for building scalable enterprise VPN that support distributed applications such as voice, video and data.  Cisco DMVPN is widely used to combine enterprise branch, remote workers and Extranet connectivity.  Its main benefits are:

  • On-demand full mesh connectivity with simple hub-and-spoke configuration
  • Automatic IP Security (IPsec) triggering for building a spoke-to-spoke IPsec tunnel
  • “Zero-touch” deployment for adding remote sites
  • Reduced latency and bandwidth savings

Dual DMVPN Cloud Topology – Spoke-to-Spoke Deployment Model is deployed for the customer’s needs

A dual DMVPN cloud topology with the spoke-to-spoke deployment model consists of two headend routers (Hub 1 and Hub 2), each with one or more mGRE tunnel interface(s) that connect to all branch routers.  Each DMVPN cloud represents a unique IP subnet. One DMVPN cloud is considered the primary, which all branch traffic transits. On each branch router, there is an mGRE interface into each DMVPN cloud for redundancy. All branch-to-branch communications transit through the primary headend until the dynamic spoke-to-spoke tunnel is created. The dynamic spoke-to-spoke tunnels must be within a single DMVPN cloud or subnet. Spoke-to-spoke tunnels are not possible between two DMVPN clouds.

Network Hardware

The WAN architecture includes the following deployments:

  • The deployment of Cisco 3845 routers equipped with hardware encryption module at the headquarter sites. This module provides a throughput of 180 Mbs and can support up to 2500 tunnels
  • The deployment of Cisco ISR 2800 or 3825 series routers to the remote site and connected to the internet via ADSL, Ethernet, 3G, or other WAN services.  A DMVPN tunnel is established across the Internet, terminating into a head-end VPN router at the Data Center or Internet complex.
  • The remote ISR router acts as an “All-in-One” box allowing for WAN interface to various premise-based application devices to include Cat2960 switches, wireless controllers,  IOS FW, VoIP, analog telephony devices and the PSTN, resulting in huge hardware and administrative cost savings.

VeeMost followed Cisco recommended best practices guidelines

  • Configure Triple DES (3DES) or AES for encryption of transported data
  • Deploy hardware-acceleration of IPsec to minimize router CPU overhead, to support traffic with low latency and jitter requirements, and for the highest performance for cost.
  • Keep IPsec packet fragmentation to a minimum on the customer network by setting MTU size
  • Configure EIGRP routing protocol  with route summarization for dynamic routing.
  • Set up QoS service policies as appropriate on headend and branch router interfaces to help alleviate interface congestion issues and to attempt to keep higher priority traffic from drops