Building a network of geographically distributed branches using DMVPN technology

A network diagram of geographically distributed branches based on DMVPN technology

Description

The effective operation of large organizations, such as commercial holdings, financial and government structures, largely depends on the ability to unite distributed branches into a single virtual secure network. For these purposes, the star topology is often used, where the Hub is the router in the central office, and the Spoke is the router in the branches. The units exchange data with the headquarters through secure tunnels.

The classic site-to-site VPN implementation of this scheme has a serious drawback — static tunnels need to be manually configured for connecting nodes with the central office and among themselves, which leads to an increase in the volume of configurations, the number of configured devices, the implementation time and an increase in the number of errors. In organizations with large, extensive infrastructure, such as in the banking sector with tens of thousands of ATMs, such restrictions become critical.

The problem is solved by a more versatile and convenient method of building a virtual network — the use of Dynamic Multipoint VPN (DMVPN) technology, which is supported by the ESR series service routers. In the 3rd quarter of 2025, the device range was expanded with two high-performance new products such as ESR-3250 and ESR-3350. Let's take a closer look at our solution.

For a detailed design guide on creating a virtual network based on DMVPN technology, see the Eltex Design Guides section.

Solution architecture

We use DMVPN technology to establish secure communication channels between the central office and remote branches. This approach provides a more scalable and flexible alternative to traditional site-to-site connections, reducing the amount of manual configuration and speeding up network deployment.

A key advantage of DMVPN is the ability to establish direct dynamic tunnels between two Spoke routers, providing an optimal traffic route within the network. Network scaling occurs without the need to make changes to existing routers: when adding a new node, only the node itself is configured. The technology also supports dynamic assignment of tunnel IP addresses on Spoke routers, which simplifies the management of remote points.

DMVPN is an "assembler" technology that includes:

IPsec — technology that implements encryption of the communication channel, ensuring secure data transmission between offices;
GRE tunneling — its use supports multicast and broadcast traffic in communication channels between branches, allowing the use of the full range of network protocols operating in corporate networks;
NHRP – protocol underlying DMVPN technology, allowing for minimal configuration on routers at the headquarters, as well as the creation of temporary tunnels between branch offices. This reduces the load on routers at the headquarters and decreases communication delays between offices.

In DMVPN, there are three types of Spoke and Hub interactions, known as phases.

Support for DMVPN and three phases of operation is implemented in ESR service routers. Next, we will examine their capabilities using the example of new models used as Hubs and less powerful models as Spokes.

DMVPN-hub

Routers acting as DMVPN-Hub from the perspective of the NHRP protocol function as NHS (Next Hop Server). The routers accept registrations of new DMVPN cloud participants and allow the establishment of direct tunnels between participants (Spoke-to-Spoke) in the second and third phases. Thus, the main part of the NHRP configuration on the Hub is related to processing incoming requests from Spoke routers.

As part of an integrated solution for building a distributed network, we use ESR-3250 and ESR-3350 routers as the Hub. When encrypting traffic, they provide data transfer speeds of up to 5.3 Gbps (ESR-3250) and 14.5 Gbps (ESR-3350) in IMIX mode.

Both models are very similar to each other, but differ in performance. The ESR-3250 provides routing and traffic filtering at speeds over 50 Gbps, while the ESR-3350 – over 100 Gbps.

Routers support label-switched data (MPLS), which allows building MPLS networks over DMVPN. Additionally, the devices can fully perform firewall functions. For this purpose, a wide range of security mechanisms is implemented (IPS/IDS, AppControl in Firewall, Web Filtering, etc.)

Clustering is performed in Active/Standby mode (1+1). This ensures continuous operation of services even in the event of individual node failures.

Both classic tools (CLI, SNMP) and the ECCM management system are available for administration. The ECCM automates configuration, software updates, and equipment monitoring.

DMVPN-Spoke

The ESR-15(R), ESR-30, ESR-31 models are used as Spoke for connecting small and medium branches. The routers support DMVPN, IPsec, and MPLS, providing reliable communication with the central office.

General solution scheme

scheme-2-dmvpn-phase-3-connecting-regional-branches-to-the-central-office

Scheme 1. DMVPN Phase 1 — connecting ATMs to the data center

One of the banks' tasks is to ensure secure and centralized connection of a large number of ATMs distributed across a city, region or country. For this purpose, DMVPN technology is used in phase 1.

In this case, the Hub (for example, the ESR-3250 router) acts as the central point to which all remote nodes of the network, ATMs, are directly connected. They are equipped with compact routers — in our solution, ESR-15 or ESR-15R are used, which operate as Spoke. Each Spoke connects to the Hub using a GRE tunnel secured by IPsec technology. This preserves the integrity and confidentiality of data during transmission over public networks. The connection and registration of Spoke devices on the Hub is carried out using the NHRP protocol.

In such an architecture, Spoke-to-Spoke connections are absent. This allows for centralized processing of all transactions and service traffic in the data center, simplifying administration and providing full control over the security of operations. The architecture is convenient in scenarios where direct interaction between nodes is unnecessary: Spoke devices have a simple configuration and a minimal routing table (often only a default route to the Hub). Adding new Spokes does not require configuration on the Hub — the central router accepts registration using NHRP.

Scheme 2. DMVPN Phase 3 — connecting regional branches to the central office

When the bank faces the task of uniting dozens of regional branches into a single network with the ability not only to connect to the central office but also to interact directly with each other, the DMVPN technology in phase 3 is applied.

In this architecture, the central node (Hub), for example, the ESR-3350 router at the headquarters, still acts as a reference point: it remains the NHS and also provides termination and encryption for IPsec tunnels. However, unlike phase 1, where all traffic was routed solely through the Hub, and phase 2, in which establishing a Spoke-to-Spoke connection required "acquaintance" through the Hub, phase 3 allows for routing to become maximally flexible and optimized.

Regional offices are equipped with routers — in our solution, these are ESR-30 or ESR-31. These routers act as the Spoke. If it is necessary to connect one branch to another using the NHRP protocol, a Spoke-to-Spoke tunnel is established. For example, if a bank branch in Novosibirsk syncs data with an office in Omsk, most of the traffic will go directly, bypassing the Hub. This reduces delays and the load on the headquarters equipment.

Phase 3 enables the maintenance of a balance between centralized management and efficiency. Direct dynamic tunnels are established between branches as needed. Meanwhile, key services and data (CRM, processing, accounting) remain in the central office and are accessible through secure channels.