Overview of DSVPN

Definition

Dynamic Smart Virtual Private Network (DSVPN) establishes VPN tunnels between Spokes with dynamically variable public addresses in the Hub-Spoke model.

Purpose

More enterprises want to build the IPsec VPN in Hub-Spoke model to connect the Hub to Spokes in different geographical locations. This enhances enterprise communication security and reduces communication costs. When the Hub uses the static public address to connect to the Internet and Spokes use dynamic public addresses to connect to the Internet, Spokes cannot communicate with each other directly if traditional IPsec or GRE over IPsec is used to build the VPN. This is because Spokes cannot learn the public addresses of the remote ends in advance and tunnels cannot be set up between Spokes. In this case, communication data between Spokes must be forwarded by the Hub.

Figure 1 Typical Hub-Spoke networking without DSVPN enabled
Click to enlarge

When all communication data between Spokes is forwarded by the Hub, the following problems may occur:

Whenever a new Spoke is connected to the Hub, a VPN configuration and maintenance for the Spoke are added to the Hub. In this case, if a large number of Spokes are connected, the Hub configurations become complex. Each time when the network is adjusted, the Hub configurations have to be adjusted accordingly.
If Spokes communicate with each other through the Hub, the transmitted data flows consume the Hub resources and result in an extra delay (especially when IPsec encryption is used). This because the Hub needs to decrypt and then encrypt data packets from the source Spoke before sending them to the destination Spoke.
If Spokes communicate with each other directly and the Spoke egresses use dynamic IP addresses, the Spokes cannot obtain each other's IP address. As a result, a tunnel cannot be established directly between the Spokes.

To resolve this issue, DSVPN uses Next Hop Resolution Protocol (NHRP) to collect and maintain information about dynamically changing public IP addresses of the Spokes. In this manner, the Spokes can obtain each other's public IP address before establishing a tunnel with each other.

Figure 2 Typical Hub-Spoke networking without DSVPN enabled
Click to enlarge

On the network shown in Figure 2, DSVPN allows the Spokes to dynamically establish a Spoke-Spoke tunnel when they use dynamic IP addresses to access the public network. This implements direct communication between the Spokes. In addition, DSVPN supports multipoint Generic Routing Encapsulation (mGRE), which allows multiple GRE tunnels to be set up on a single mGRE tunnel interface. This simplifies subnet traffic management and configurations of GRE and IPsec on devices.

Benefits

Reduced VPN network construction costs

DSVPN implements dynamic connections between the Hub and Spokes, and between Spokes. Spokes do not need to purchase static public network addresses.
Simplified configuration of the Hub and Spokes

The Hub and Spokes use an mGRE tunnel interface but not multiple GRE tunnel interfaces to establish tunnels. When a new Spoke is added to the network, the network administrator does not need to change configurations on the Hub or any existing Spokes. The administrator only needs to configure the new Spoke, and then the Spoke dynamically registers with the Hub.
Reduced data transmission delay between branches

Spokes can dynamically establish tunnels to directly exchange service data, reducing the forwarding delay and improving forwarding performance and efficiency.